Phishing kit attacks have become a pervasive threat in cybersecurity landscapes, lowering the barrier to entry for cybercriminals and enabling even low-skilled actors to launch sophisticated campaigns.
These kits contain pre-built templates, data-harvesting scripts, and evasion tools designed to mimic legitimate services like Microsoft 365, banking platforms, or cloud providers.
For SOC and DFIR teams, investigating these attacks requires a blend of technical analysis and threat intelligence integration.
Modern phishing kits such as Tycoon2FA, Evilginx2, and Greatness employ advanced techniques like Adversary-in-the-Middle (AiTM) attacks to bypass multi-factor authentication (MFA) and steal session cookies.
Example of a Greatness phishkit attack analyzed in ANY.RUN’s Interactive Sandbox (Source – Any.run)
For example, Tycoon2FA operators abuse Cloudflare Workers to host malicious login pages that dynamically adapt to targets, while tools like BulletProofLink reuse stolen credentials for downstream attacks.
While the security analysts at Any.run noted that these kits often leave distinct indicators of compromise (IoCs), including domain patterns, HTTP request anomalies, and specific Suricata rule triggers.
Leveraging Threat Intelligence Lookup for Phishing Kit Analysis
A critical methodology for investigating phishing kit attacks involves using Threat Intelligence (TI) Lookup tools like ANY.RUN’s platform, which aggregates data from millions of sandbox sessions to identify emerging threats.
TI Lookup lets you identify and investigate phishkit attacks (Source – Any.run)
Analysts can execute targeted queries for domains, hashes, or network indicators associated with known kits. For instance, searching for domainName:”*.workers.dev” reveals 49 domains linked to Tycoon2FA’s abuse of Cloudflare infrastructure.
Each domain’s threat level is immediately flagged, enabling rapid triage.
— Example query to detect Tycoon2FA domains in TI Lookup SELECT * FROM threat_intel WHERE domainName LIKE ‘%.workers.dev’ AND threatTag = ‘phishing’;
Suricata IDS rules provide another investigative vector. The rule suricataID:”8001050″ detects social engineering attempts commonly associated with Gabagool and SneakyPhish campaigns.
Suricata rule to uncover more examples of phishkit attacks (Source – Any.run)
When triggered, this rule correlates with network traffic patterns like abnormally high POST requests to unfamiliar endpoints or mismatched SSL certificates. Analysts can cross-reference these events with TI Lookup’s database to uncover linked phishing kit variants.
The Mamba2FA phishing kit exemplifies how attackers refine their tactics. By querying threatName:”mamba” AND domainName:””, teams extract fresh IoCs like newly registered domains or SSL certificate anomalies.
Threat data on phishing kit attacks (Source – Any.run)
This approach also surfaces behavioral insights—for example, Mamba2FA’s reliance on geofenced redirections to evade detection in non-target regions.
Incorporating these findings into SIEM rules and firewall policies is essential. A YARA rule targeting phishing kit payloads might include:-
yara rule PhishKit_Generic { meta: author = “SOC_Team” description = “Detects phishing kit HTML structures” strings: $form_action = /action=”[^”]*/login.php”/ $meta_redirect = “<meta http-equiv=”refresh”” condition: all of them }
Automating IoC ingestion from TI Lookup into SOAR platforms ensures real-time blocking of malicious domains.
Known malicious indicators (Source – Any.run)
However, forensic teams must also analyze captured phishing pages for unique artifacts—such as Base64-encoded credential exfiltration endpoints or hardcoded admin panels—to attribute attacks to specific kits.
Investigating phishing kit attacks demands continuous adaptation as attackers refine evasion techniques. By combining TI Lookup’s indicator database with network traffic analysis and customized detection rules, SOC/DFIR teams can dismantle campaign infrastructures and mitigate risks.
Organizations must prioritize integrating these tools into threat-hunting workflows while training employees to recognize phishing lures that bypass technical defenses.
