Blacksite shows why clean URL verdicts can still hide AiTM phishing

At a glance

What this is: This analysis shows how Blacksite combines AiTM phishing with cloaking to steal sessions while hiding malicious pages from automated scanners.

Why it matters: It matters because identity teams must defend the authentication message, the session, and the detection pipeline, not just the login factor.

By the numbers:

• Blacksite is offered at $600 to $1,000 per month, with seven of twenty slots already filled.
• 3, loaked.gg showed 3,946 requests, with 326 bots blocked and 101 IP addresses auto-blocked from visitor capture.

👉 Read Abnormal AI's analysis of Blacksite, AiTM phishing, and cloaking

Context

AiTM phishing is a reverse-proxy attack pattern in which the attacker sits between the user and the real login page, capturing credentials, session cookies, and one-time codes as they pass through. The governance problem for IAM teams is not just phishing resistance, but the fact that a valid session can be stolen after MFA has already succeeded.

Blacksite matters because it pairs that session hijacking workflow with cloaking, which means automated URL checks can be shown decoys while real targets are sent to the phishing page. For identity and access programmes, that turns a clean verdict into a weak signal and pushes detection upstream into message analysis, session behaviour, and response to post-authentication anomalies.

Key questions

Q: How should security teams respond when a phishing URL scans clean?

A: They should treat the result as inconclusive until they know how the scan was performed and whether cloaking or fingerprint checks could have altered what the scanner saw. A clean verdict only proves one path into the page was not exposed. Combine link analysis with message review, user-context checks, and post-authentication monitoring.

Q: Why do AiTM phishing kits still succeed against MFA?

A: AiTM kits succeed because they capture the authenticated session, not just the password. If the attacker can intercept the one-time code and the session cookie during login, MFA has already done its job and the cookie becomes the reusable credential. Defenders therefore need controls that watch for session replay and token abuse after sign-in.

Q: What do identity teams get wrong about phishing-resistant controls?

A: They often focus on the login ceremony and forget that compromise can happen immediately after authentication. Stronger factors reduce password replay, but they do not eliminate session hijacking if the browser session itself is stolen. Identity teams should pair phishing-resistant authentication with session telemetry and fast revocation.

Q: How can organisations reduce account takeover risk from reverse-proxy phishing?

A: They should reduce the value of stolen sessions by tightening device binding, shortening session lifetime where appropriate, enforcing re-authentication for sensitive actions, and revoking suspicious sessions when behaviour changes. The goal is to make cookie replay less durable and more detectable across the identity stack.

Technical breakdown

How AiTM reverse proxies capture MFA-protected sessions

An adversary-in-the-middle kit proxies the victim’s browser to the real login service, so authentication still appears legitimate to the user and the target application. The attacker can capture usernames, passwords, one-time 2FA codes, tokens, and session cookies as the browser exchanges them. The session cookie is the most valuable artefact because it represents an already authenticated state, which is why MFA alone does not stop this pattern. Once the cookie is replayed, the attacker inherits the user’s session without needing to repeat the login flow.

Practical implication: treat valid post-authentication sessions as an asset to monitor, not a guarantee of trust.

Why cloaking defeats URL scanners and sandbox detonation

Cloaking infrastructure classifies incoming traffic by ASN, TLS fingerprint, referrer, browser characteristics, and other signals, then decides whether to show a decoy, block the request, or forward it to the live page. In Blacksite’s case, cloud and security analysis sources can be filtered away while residential-looking traffic reaches the phishing site. That means automated detonation sees a harmless page, a 403, or a benign storefront, while the intended target sees the real lure. The result is split-view delivery that undermines single-signal URL reputation workflows.

Practical implication: combine pre-click message inspection with post-click identity telemetry instead of relying on URL verdicts alone.

Why productized phishing lowers the attacker skill bar

Blacksite is not just a kit, it is a commercial service with pricing, capacity limits, and a paired anti-detection layer. That matters because the operator no longer needs to build infrastructure from scratch or understand every evasive control in depth. Productization turns sophisticated tradecraft into an on-ramp for less capable actors, while still preserving high-impact session theft. The enterprise consequence is wider adoption of the same attack pattern across more campaigns, more infrastructure, and more target types, including corporate SSO flows.

Practical implication: assume AiTM capability is becoming more accessible and tune controls for scale, not novelty.

Threat narrative

Attacker objective: The attacker wants authenticated account access that survives MFA and enables session hijacking, internal access, or further fraud.

1. Entry occurs when the victim follows a phishing lure to a reverse-proxy login page that mirrors the real service.
2. Credential access happens in real time as the proxy captures passwords, one-time codes, authentication tokens, and session cookies during sign-in.
3. Impact follows when the attacker reuses the stolen session cookie to bypass MFA and take over the authenticated account.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Clean URL verdicts are no longer sufficient evidence of safety. Blacksite shows that the detonation environment itself can be manipulated, so a benign scan result may reflect cloaking logic rather than harmless content. The governance mistake is treating scanner output as a final decision instead of one input among several. Practitioners should read clean verdicts as provisional when cloaking indicators are present.

Session cookies have become the real prize in modern phishing. Once MFA is completed, the attacker does not need the password again if the authenticated cookie is stolen mid-session. That means identity assurance is being broken after the login event, which is why post-authentication monitoring belongs in the identity programme, not only in email or web filtering. IAM teams need to treat session replay as a core account takeover path.

Productized AiTM changes the threat model from bespoke tradecraft to repeatable service. When phishing kits are sold with billing, support, and capacity slots, attacker capability scales faster than defender tuning cycles. That expands exposure across corporate SSO and consumer identity alike, and it makes assumption-driven controls around trusted login flows less reliable. The implication is that identity governance has to assume commoditized adversary tooling.

Identity verification controls designed for the start of authentication do not govern what happens after token issuance. That assumption was designed for sessions that stayed bound to the original browser, network, and user intent. It fails when the actor can proxy the login in real time and reuse the cookie from a different context. The implication is that post-login trust cannot be inferred from a successful MFA event alone.

Named concept: clean verdict inconclusiveness. A clean automated scan result should be treated as inconclusive, not as a safety signal, when cloaking infrastructure can selectively hide the true destination. That concept matters because many security workflows still collapse “not detected” into “safe enough.” Practitioners should reframe detection confidence around what the scanner could not see.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Use the NHI Foundation Level course, the industry's only accredited NHI security programme. to build the identity and lifecycle controls that reduce session abuse risk across human and machine access.

What this signals

Clean-verdict dependence will become a governance liability. As cloaking and fingerprinting improve, teams will need to separate scan confidence from actual risk and feed both into phishing response. The practical shift is toward message-level inspection, identity-aware telemetry, and stronger session governance across the access lifecycle.

With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the same access discipline that matters for machines will increasingly matter for users whose sessions can be replayed or proxied. Identity teams should expect attackers to exploit whichever trust boundary is easiest to inherit.

Clean verdict inconclusiveness: when a scanner cannot see the real page, the programme should not promote the result to a safe decision. That means your phishing controls need a second layer of judgment built around authentication behaviour, session reuse, and rapid containment.

For practitioners

• Treat clean URL verdicts as provisional When a link is delivered through unfamiliar infrastructure, classify a clean scan as inconclusive if the page is cloaked, fingerprinted, or selectively blocked for cloud sources.
• Inspect message context before user interaction Prioritise pre-click analysis of sender reputation, lure language, domain age, and redirect behaviour, because cloaking can hide the live page from sandbox detonation.
• Monitor post-authentication session behaviour Flag impossible geography, rapid cookie reuse, browser fingerprint shifts, and unusual session continuity after MFA success, because stolen cookies are the decisive artefact in AiTM attacks.
• Harden identity flows against replay and token theft Use phishing-resistant authentication, conditional controls that assess device and session context, and session revocation playbooks that can terminate suspicious authenticated access quickly.

Key takeaways

• Blacksite demonstrates that MFA does not stop account takeover when attackers can intercept the live session and reuse the resulting cookie.
• Cloaking infrastructure can make automated URL analysis return clean or blocked results that are operationally misleading rather than reassuring.
• Identity teams should shift from single-signal URL trust to layered controls that inspect the message, the session, and the behaviour after authentication.

Key terms

• Adversary-in-the-Middle Phishing: A phishing pattern where the attacker sits between the victim and the real service, relaying traffic in real time. The attacker captures credentials, one-time codes, and session artefacts during the live login flow, which lets MFA-protected sessions be hijacked after authentication completes.
• Session Cookie Replay: The reuse of an authenticated session cookie by someone other than the original user. In identity governance terms, it means the login succeeded legitimately, but the trust boundary moved from authentication to session possession, making post-authentication monitoring and revocation central to defence.
• Cloaking Infrastructure: A detection-evasion layer that shows different content depending on who visits the site. It can block cloud scanners, fingerprint security tools, and serve benign decoy pages while allowing real users through, which makes reputation-based verdicts unreliable when used alone.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Blacksite pairs AiTM phishing with cloaking to evade scanners. Read the original.