Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone.
Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
Timeline
Jan 6, 2026
Technical analysis exposed fake Cloudflare gate's data collection
Analysis showed the fake verification page did not load official Cloudflare JavaScript and instead used client-side scripts and server-side APIs to collect browser and environment data for exfiltration. Researchers confirmed the infrastructure functioned as a malicious traffic distribution system and was not affiliated with Cloudflare.
Jan 6, 2026
Fake Cloudflare Turnstile phishing gate campaign observed
Researchers observed a phishing campaign using a fake Cloudflare Turnstile page as an intelligent traffic filtering gate targeting French users. The infrastructure used browser fingerprinting, geolocation, proxy detection, and redirects to a legitimate French news site to block researchers and non-target traffic while serving phishing content to likely victims.
Jan 6, 2026
Malicious domains for fake Cloudflare gate were newly registered
The phishing infrastructure analyzed in the campaign relied on newly registered domains used to host a fake Cloudflare Turnstile verification page and related backend services. The setup was designed to support selective victim filtering and payload delivery.
Dec 31, 2025
Attackers adopted advanced phishing kit evasion techniques in 2025
Throughout 2025, phishing kits were observed using AI, URL obfuscation, CAPTCHA abuse, malicious QR codes, and polymorphic techniques to improve delivery and evade detection. Named kits including Tycoon 2FA, Mamba 2FA, Cephas, Whisper 2FA, GhostFrame, Sneaky 2FA, and CoGUI were cited as examples of this trend.
Dec 31, 2025
Active PhaaS kits doubled during 2025
Barracuda Networks reported that the number of active phishing-as-a-service kits doubled in 2025, reflecting broader criminal adoption of more capable phishing tooling. The kits increasingly incorporated MFA bypass, evasion features, and abuse of trusted platforms.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
1 months ago
Phishing Attacks Leveraging Cloudflare Pages and Modern Phishing Kits
Threat actors are increasingly abusing free web hosting services such as Cloudflare Pages to host phishing portals that impersonate banking, insurance, and healthcare organizations. These phishing sites are designed to harvest sensitive information including credentials, security questions, and multifactor authentication codes. Attackers benefit from the speed, scale, and resilience provided by free hosting, as well as the use of mainstream messaging platforms like Telegram for exfiltration, making detection and takedown efforts more challenging for defenders. Modern phishing kits have evolved into sophisticated platforms that enable even low-skilled threat actors to deploy convincing credential-harvesting sites rapidly. These kits often include features such as admin panels, real-time credential delivery, proxy capabilities for MFA bypass, and antibot systems to evade security researchers. The accessibility and advanced capabilities of these kits, combined with the use of free hosting and messaging services, have significantly lowered the barrier to entry for large-scale phishing campaigns targeting organizations and individuals alike.
1 months ago
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
1 months ago