Technique-level detection vs indicators: what has changed for defenders?

TL;DR: AI has compressed the lifetime of phishing infrastructure and kit reuse, while 89% of phishing domains now disappear within two days and only 6.5% survive past 15 days, according to Push Security; the practical result is that blocklists and tool signatures are losing durability faster than defenders can refresh them. Technique-level detection, backed by browser visibility and faster research cycles, is now the only layer that remains structurally resilient.

NHIMG editorial — based on content published by Push Security: AI is accelerating the collapse of indicator-based threat detection

By the numbers:

• 89% of phishing domains are active for fewer than two days, with just 6.5% surviving past 15 days.
• The most common AiTM kit detected over the last year was Tycoon 2FA, accounting for 59% of detections.
• Push Security reported a 37.5x increase in device code phishing detections this year alone.

Questions worth separating out

Q: How should security teams detect phishing when domains rotate quickly?

A: They should focus on the technique, not the domain.

Q: Why do indicator-based detections fail against modern identity attacks?

A: They fail because the indicators are disposable.

Q: What do security teams get wrong about kit-based phishing detection?

A: They often treat the kit name as the control boundary, but kits are now forked, mutated, and repackaged too quickly for that to be reliable.

Practitioner guidance

• Shift coverage from indicators to behaviours Prioritise detections that key off page mechanics, interaction sequences, redirect behaviour, and protocol abuse rather than domains, hashes, or static kit fingerprints.
• Instrument browser-visible identity flows Use telemetry that can observe the full browsing session, including render events, DOM activity, credential prompts, and token exchange patterns that network tools cannot see.
• Build a fast-cycle detection research pipeline Treat detection engineering as continuous research so new techniques can be validated and deployed before they are commoditised across multiple kits.

What's in the full article

Push Security's full research covers the operational detail this post intentionally leaves for the source:

• Browser-level examples of how device code phishing, ClickFix, and ConsentFix are detected in practice
• The specific attack flow patterns used to identify kit behaviour rather than domain reputation
• Operational examples of how Push Security maps page mechanics to durable detections
• The research pipeline details behind rapid technique discovery and deployment

👉 Read Push Security's analysis of how AI is changing technique-level detection →

Technique-level detection vs indicators: what has changed for defenders?

Explore further

View Full Forum →  |  NHI Foundation Course →