Notifications
Clear all
Topic starter
12/06/2026 9:55 pm
TL;DR: Phishing remains the most common cybercrime, with 3.4 billion spam emails sent daily, while 92% of businesses say they have still received at least one compromised email, according to Arkose Labs and cited security reporting. Reverse-proxy phishing kits now harvest MFA tokens and session cookies in transit, which means authentication controls alone are no longer enough.
NHIMG editorial — based on content published by Arkose Labs: analysis of phishing kits, reverse proxies, and phishing protection
By the numbers:
- Google typically blocks around 100 million phishing emails daily.
- 92% of businesses report they have still received at least one compromised email.
Questions worth separating out
Q: How should security teams defend against phishing kits that steal MFA tokens and cookies?
A: Security teams should defend by adding controls that evaluate the login transaction itself, not just the password or one-time code.
Q: Why do phishing kits still bypass MFA in real environments?
A: Phishing kits bypass MFA when they proxy a real user session and capture the MFA result plus the session cookie in transit.
Q: How do you know if your phishing controls are actually working?
A: You know they are working if reverse-proxy campaigns fail to complete authentication, suspicious hostnames are flagged before login finishes, and harvested tokens cannot be reused successfully.
Practitioner guidance
- Harden login flows against token replay Add controls that validate the authenticity of the session at login and registration time, not just the password or MFA step.
- Instrument authentication with abuse signals Collect signals from device, session, hostname, and interaction patterns so reverse-proxy behaviour can be flagged before account takeover completes.
- Review MFA assumptions for session integrity Test whether your current MFA methods still protect against phishing kits that steal cookies and tokens in transit.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how MITM phishing kits mirror target sites and capture MFA tokens in transit
- Description of the login and registration workflow placement that makes the Arkose token check effective
- Examples of phishing kit features such as dynamic URLs, geo-blocking, and campaign dashboards
- Additional explanation of how the phishing detection and adaptive challenge response interact with suspicious traffic
👉 Read Arkose Labs' analysis of phishing kits, MITM proxies, and MFA theft →
Phishing kits and MITM proxies: are your controls keeping up?
Explore further
13/06/2026 12:19 am
Session theft has become the real identity failure mode in phishing. The article shows that reverse proxies can preserve the appearance of a normal login while stealing the authentication artefacts that matter most. That means defenders who still judge phishing risk by credential compromise alone are measuring too early in the attack chain. Practitioners need to treat authenticated session abuse as the operational endpoint.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- In the same study, 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which is consistent with attack patterns that depend on reusable access artefacts.
A question worth separating out:
Q: Who is accountable when phishing leads to session hijacking?
A: Accountability sits with the identity and security teams that own the authentication journey, not just email security. If phishing kits can reuse MFA artefacts and cookies, the control gap is in session assurance and transaction design. That makes authentication governance a shared responsibility across IAM, fraud, and application security.
👉 Read our full editorial: Phishing kits are evolving faster than identity controls
