Phishing kits are evolving faster than identity controls

At a glance

What this is: This is an analysis of how phishing kits, reverse proxies, and session theft are undermining login security.

Why it matters: It matters because IAM teams must treat phishing as a workflow and session problem, not just an email or password problem, especially where MFA tokens and cookies can be stolen in transit.

By the numbers:

• Google typically blocks around 100 million phishing emails daily.
• 92% of businesses report they have still received at least one compromised email.

👉 Read Arkose Labs' analysis of phishing kits, MITM proxies, and MFA theft

Context

Phishing has become a control-path problem, not just a messaging problem. Attackers now use prepacked kits and reverse-proxy tooling to intercept credentials, MFA tokens, and session cookies after a user follows a malicious link, which means the real failure point is often the authentication journey rather than the inbox.

For IAM and security teams, that shifts the discussion toward session integrity, adaptive challenge response, and abuse-resistant login flows. In human identity programmes, the question is no longer whether MFA exists, but whether the authentication stack can still distinguish a real user from a proxied session.

Key questions

Q: How should security teams defend against phishing kits that steal MFA tokens and cookies?

A: Security teams should defend by adding controls that evaluate the login transaction itself, not just the password or one-time code. Use adaptive challenges, session integrity checks, and proxy detection so the attacker cannot complete the flow with harvested artefacts. The goal is to stop token replay before the session is accepted as legitimate.

Q: Why do phishing kits still bypass MFA in real environments?

A: Phishing kits bypass MFA when they proxy a real user session and capture the MFA result plus the session cookie in transit. In that model, MFA confirms the victim’s interaction, but it does not prove the session is authentic. Organisations need controls that bind the session to the genuine site and block proxy completion.

Q: How do you know if your phishing controls are actually working?

A: You know they are working if reverse-proxy campaigns fail to complete authentication, suspicious hostnames are flagged before login finishes, and harvested tokens cannot be reused successfully. Measure whether suspicious sessions are stopped inside the transaction path, not only whether malicious emails are filtered earlier in the chain.

Q: Who is accountable when phishing leads to session hijacking?

A: Accountability sits with the identity and security teams that own the authentication journey, not just email security. If phishing kits can reuse MFA artefacts and cookies, the control gap is in session assurance and transaction design. That makes authentication governance a shared responsibility across IAM, fraud, and application security.

Technical breakdown

Phishing kits and campaign automation

Modern phishing kits package the infrastructure needed to run attacks at scale. They include email templates, fake landing pages, credential collection endpoints, and domain rotation tactics that help attackers evade filters and blocklists. Phishing-as-a-Service models take this further by giving operators dashboards, subscriptions, and campaign tooling, turning credential theft into an operational service. The result is faster campaign setup, more consistent lures, and lower attacker skill requirements. The technical issue for defenders is that the attack surface now spans mail, web, and identity workflows at once.

Practical implication: treat phishing as an identity abuse workflow and instrument both email and authentication layers for abuse signals.

Reverse proxy phishing and MFA token theft

Man-in-the-middle phishing toolkits sit between the victim and the real service, proxying the session while capturing MFA tokens and cookies in transit. Because the victim sees a real-looking site and the upstream service still receives a valid login flow, traditional password checks and some MFA methods do not stop the theft. Toolkits such as Evilginx, Modlishka, and EvilProxy rely on session replay rather than password cracking. That makes the session artifact, not just the credential, the attacker’s goal.

Practical implication: harden login flows against token replay and require controls that bind the session to the genuine origin.

Adaptive challenge response as an identity control

Adaptive challenge response works by inserting a verification step into login or registration flows before the attacker can complete the session. Unlike static CAPTCHA-style checks, it can evaluate signals from the interaction and refuse to issue the token the site expects when the traffic looks like a proxied or automated attack. That makes it harder for a reverse proxy to finish the flow even after credentials are entered. The important architectural point is that the control sits in the transaction path, not around it, so it can interrupt abuse before account takeover is complete.

Practical implication: place abuse detection in the auth transaction path so the attacker cannot complete the session with stolen tokens.

Threat narrative

Attacker objective: The attacker wants a live authenticated session that bypasses the protections normally expected from MFA.

1. Entry begins when the victim clicks a malicious link and is routed to a lookalike phishing site controlled by a reverse proxy.
2. Credential access occurs when the user enters a password and MFA code, which the proxy captures along with session cookies in transit.
3. Impact follows when the attacker reuses the harvested session artifacts to complete the target-site transaction as the victim.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Session theft has become the real identity failure mode in phishing. The article shows that reverse proxies can preserve the appearance of a normal login while stealing the authentication artefacts that matter most. That means defenders who still judge phishing risk by credential compromise alone are measuring too early in the attack chain. Practitioners need to treat authenticated session abuse as the operational endpoint.

Phishing protection must sit inside the login workflow, not outside it. The article’s strongest signal is architectural: if the control only filters email or blocks URLs after the fact, the attacker can still proxy the session. Controls that require a site-issued token, inspect transaction signals, or stop the flow before session completion change the economics of the attack. Teams should place abuse resistance where the login is actually resolved.

Credential harvesting now blurs human identity and access-session governance. This is no longer just a user-awareness problem or a password problem. It becomes an access assurance problem when MFA tokens and cookies are reusable outside the original interaction. IAM leaders should reassess whether their assurance model survives token replay, not whether MFA is merely enabled.

Adaptive friction is now a security control, not a user-experience afterthought. Attackers depend on low-friction, high-conversion login flows. When verification steps are designed to trip reverse proxies and automated abuse without blocking legitimate users, they directly reduce attacker ROI. Practitioners should evaluate fraud-style controls as part of identity defence, not as a separate layer.

Identity blast radius: a stolen session can outlive the original credential event. The article makes clear that compromise is not limited to password theft. Once a valid session is hijacked, the attacker inherits the trust the site placed in the original user. The practical conclusion is that session governance now belongs in identity risk reviews alongside authentication policy.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• In the same study, 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which is consistent with attack patterns that depend on reusable access artefacts.
• For a broader control lens, review Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege issues that phishing-style session abuse also exploits.

What this signals

The governance lesson here is that identity teams need to treat session replay as a first-class access risk, especially where authentication funnels are designed for frictionless conversion. Controls that only see the credential event will miss the real compromise point.

Identity blast radius: once a session cookie is stolen, the attacker inherits the trust the application granted to the original user. That makes transaction-path detection and session-binding controls central to modern human identity governance, not optional hardening.

For teams formalising this work, the 52 NHI breaches analysis is useful for separating reusable credential exposure from broader access governance failures, especially when the same patterns appear across human, machine, and delegated access paths.

For practitioners

• Harden login flows against token replay Add controls that validate the authenticity of the session at login and registration time, not just the password or MFA step. Focus on mechanisms that can detect proxy behaviour and refuse to issue the expected session token when the interaction is suspicious.
• Instrument authentication with abuse signals Collect signals from device, session, hostname, and interaction patterns so reverse-proxy behaviour can be flagged before account takeover completes. Use those signals to trigger adaptive challenges or step-up checks inside the flow.
• Review MFA assumptions for session integrity Test whether your current MFA methods still protect against phishing kits that steal cookies and tokens in transit. Prioritise methods and policies that bind the authenticated session to the real origin rather than to a one-time code alone.
• Place challenge controls at the point of transaction Move fraud and bot-resistance controls into the login and registration workflow so the attacker cannot complete the transaction after harvesting credentials. This is especially important where session cookies are the real prize.

Key takeaways

• Phishing kits now target the authenticated session, which means MFA alone does not close the identity gap.
• The scale is already industrial, with billions of phishing emails a day and most businesses still seeing at least one compromised email.
• Defenders need controls that interrupt proxy-based login abuse inside the transaction path, not after credentials have already been harvested.

Key terms

• Reverse-Proxy Phishing: A phishing method where an attacker places a proxy between the victim and the real service to relay the login flow in real time. The proxy captures credentials, MFA results, and session cookies, making the session appear legitimate while the attacker steals the usable authentication artefacts.
• Session Cookie Theft: The capture of browser session data that proves an already authenticated user. Once stolen, the cookie can let an attacker impersonate the victim without repeating the login step, which makes session assurance and replay resistance critical to identity security.
• Adaptive Challenge Response: A dynamic verification control that adds friction when a login or registration attempt looks suspicious. It uses interaction and risk signals to decide whether to let the session continue, which makes it useful against automated or proxy-based abuse that can bypass static checks.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: analysis of phishing kits, reverse proxies, and phishing protection. Read the original.