Browser-gated phishing panels: what they mean for IAM teams

TL;DR: Active phishing panels linked to ShinyHunters-style and BlackFile-associated campaigns combine vishing, AiTM phishing, and browser-gated credential capture across hundreds of domains, with public breaches already tied to stolen sessions and downstream SaaS access, according to Push Security. The core issue is that browser-mediated identity theft now bypasses email-centric controls and defeats assumptions that static infrastructure scanning can keep pace.

NHIMG editorial — based on content published by Push Security: an inside look at a phishing panel used in criminal campaigns

By the numbers:

• In total, we’ve identified over 400 domains linked to the attacks, giving an indication of the scale.

Questions worth separating out

Q: How should security teams defend against phishing panels that only reveal themselves to real victims?

A: Security teams should combine browser telemetry, behavioural page analysis, and identity controls that reduce the value of a live session.

Q: Why do browser-based AiTM attacks create more risk than password phishing alone?

A: AiTM attacks capture the full authenticated flow, including MFA responses and the resulting session.

Q: What do teams get wrong about detecting modern phishing infrastructure?

A: Many teams assume that malicious infrastructure can be found through static scanning or blocklists before it is used.

Practitioner guidance

• Prioritise browser-side attack detection Inspect rendered pages, redirects, form submission paths, and operator-gated content in real time.
• Harden against session relay, not only password theft Use phishing-resistant authentication where possible and add controls that reduce the value of a captured session, including step-up checks for sensitive SaaS actions and tighter token lifetimes.
• Map which applications trust the identity provider too broadly Inventory the SaaS platforms that can be reached after primary login and identify where a single stolen session can cascade into document access, messaging, or data export.

What's in the full article

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Technical indicators for Doko's Panel and its variants, including client-side request patterns and backend endpoint names
• Examples of the phishing infrastructure clusters, domain patterns, and hosting choices observed across campaigns
• Operator workflow details showing how victim submissions, redirects, and MFA capture were handled in real time
• The longer list of indicators of compromise and the browser-based detection considerations tied to them

👉 Read Push Security's analysis of active phishing panels used in browser-based identity theft →

Browser-gated phishing panels: what they mean for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →