A phishing kit is an off-the-shelf bundle of templates, infrastructure, and credential-relay code that lets a low-skill operator clone Microsoft 365, Google Workspace, Okta, banking, and crypto-exchange logins. Modern kits intercept MFA codes in real time using adversary-in-the-middle (AiTM) reverse proxies. The reason phishing-resistant authentication (FIDO2, hardware keys, passkeys) matters more in 2026 than it did in 2018.
What it means in practice
The 2024-era phishing kit (Evilginx2, EvilProxy, Mamba 2FA, Tycoon 2FA) does not just collect credentials. It runs a transparent proxy between the victim and the real service: the victim types the password and the TOTP code on the fake page, the kit forwards both to the real service in real time, the kit captures the resulting session cookie, and the attacker walks into the account using the session without ever touching the password again. TOTP-based 2FA is defeated structurally. Push-based 2FA can also be defeated by MFA fatigue (spam the user with push notifications until one approves). Hardware keys remain the only consumer-grade defense because the cryptographic protocol binds to the actual domain origin, which the proxy cannot fake.
Who is targeted, and by whom
Mass phishing kit deployment: cybercrime crews running automated campaigns against enterprise email tenants, financial-services customers, and crypto-exchange users. The take rate is small per campaign but the volume is industrial. Targeted phishing kit deployment: business-email-compromise crews customizing per target, with reconnaissance from LinkedIn and breach corpora, often as the initial-access stage of ransomware operations. Nation-state phishing kit deployment: Charming Kitten and equivalents use phishing kits as one tool in broader campaigns, with the same structural defense (hardware-key 2FA structurally defeats the kit’s 2FA bypass).
What you can change today
Move every keystone account to hardware-key 2FA where the option exists (FIDO2/WebAuthn). Microsoft 365, Google Workspace, GitHub, AWS, Cloudflare, and most major SaaS support it; check Settings, Security, Two-Factor Authentication. Where hardware keys are not yet supported (most banking, some government services), the next-best is TOTP via Aegis or Raivo (offline, not phishable in real time as easily as some app-based push notifications). Watch for the autofill cue from your password manager: if the manager refuses to autofill on a page, the page is probably wrong. The phishing kit’s domain will not match the registered credential, so the manager’s silence is the signal that something is off.
