Next-Gen Phishing Kits Used to Bypass Multifactor Authentication

Proofpoint has revealed cyber threat actors are now using a new class of phishing kit that is allowing them to bypass multi-factor authentication (MFA). Multi-factor authentication is strongly recommended on accounts to improve security. Multifactor authentication requires an additional form of identification to be provided in addition to a password. In the event of a password being obtained by an unauthorized individual, access to the account will not be granted unless an additional factor is provided. The new breed of phishing kits now being used are capable of stealing authentication tokens in a man-in-the-middle (MitM) attack, and with the passwords and the authentication tokens, the attackers are able to gain access to accounts.

MFA is commonly used to improve security. Microsoft explained in a blog post in 2019, that multifactor authentication blocks more than 99.9% of automated attacks. Businesses that have implemented multifactor authentication may feel user accounts are protected, but the Proofpoint analysis serves as a warning that MFA can be bypassed. Worryingly, these next-generation phishing kits are rapidly proliferating.

The New Class of Phishing Kits – Source Proofpoint

Proofpoint said it has identified basic open source kits that have human-readable code and provide no-frills functionality, but highly sophisticated phishing kits have also been detected that have multiple layers of obfuscation and modules that allow the theft of usernames/passwords, MFA tokens, credit card numbers and other sensitive data, such as Social Security numbers.

Standard phishing kits are loaded onto spoofed web pages that closely resemble the brands they impersonate, with some of the phishing pages almost identical to the genuine web pages. These phishing kits capture information as it is entered into forms and login boxes. These phishing sites can be realistic; however, close inspection of the URL should identify the phishing pages for what they are.

Phishing attacks have now been detected that use a different approach, which is difficult for users and security solutions to identify. This approach involves the use of transparent reverse proxies (TRPs) that allow the attackers to gain access to existing browser sessions and silently capture sensitive data as it is entered or appears on the screen. Rather than the user being directed to a spoofed site, data are harvested when users are on genuine websites they are on genuine websites. With the TRP technique, the actual website is displayed to the victim.

One of the simplest next-gen phishing kits is called Modlishka and allows an attacker to phish one site at a time. There is a command-line interface and a GUI mechanism for stealing credentials and session information. Modlishka also uses Let’s Encrypt, to encrypt the session to ensure the green padlock is displayed, to make the user think they are on a genuine, secure site.

Muraena/Necrobrowser is more complex and consists of two parts, the first part, Muraena, runs on the server-side and uses a crawler to scan the target site to ensure it can rewrite all the traffic correctly and not alert the victim. This part can harvest credentials and session cookies. Proofpoint says the second part, named Necrobrowser, is a browser without a GUI that is used for automation. This part leverages stolen session cookies to log into the target site and allows actions to be performed such as changing passwords, disabling Google Workspace notifications, dumping emails, changing SSH session keys in GitHub, and downloading all code repositories.

Evilginx2 is an advanced phishing kit that uses pre-installed phishlets – yaml configuration files – that are used to configure the proxy to the target site. Phishlets can also be created by the user. This kit allows multiple brands to be phished at once, and also for custom subdomains and landing pages to be configured.

A malicious link is sent to a user, who is then directed to the site to login, with the kit allowing the attacker to steal credentials, MFA codes, and session cookies. The user is either sent to a different page or is allowed to continue, and the attacker uses the stolen session cookie to log in as the victim and change the password, copy data, or impersonate the victim,

While security solutions have been developed to identify these new phishing kits, detection rates are low. Proofpoint says, “They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new, unexpected directions.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of