{"id":11659,"date":"2025-02-19T10:55:23","date_gmt":"2025-02-19T10:55:23","guid":{"rendered":"\/cybersecurity-blog\/?p=11659"},"modified":"2025-03-04T06:08:02","modified_gmt":"2025-03-04T06:08:02","slug":"how-to-track-phishkits","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/","title":{"rendered":"How to Identify and Investigate Phishing Kit Attacks"},"content":{"rendered":"\n<p>Phishing kits have invested greatly in the popularity of phishing. They drop the entry threshold for cybercriminals enabling even low-skilled hackers to conduct successful attacks. &nbsp;<\/p>\n\n\n\n<p>In general, a phishing kit is a set of tools for creating convincing fake webpages, sites, or emails that trick users into divulging sensitive information like passwords or credit card credentials. Security specialists should never underestimate this type of malware and fail to be ready to counter its users.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Phishkits are made of&nbsp;<\/h2>\n\n\n\n<p>These ready-to-use packages can be basic, with some pre-written code and website and email templates, and they can be advanced phishing-as-a-service (PHaaS) kits that offer more sophisticated and customizable features. These may even contain automated updates or encryption features.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A typical kit includes:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Website (email, social network pages) templates mimicking legitimate brands (banks, email providers, cloud services, etc.)&nbsp;<\/li>\n\n\n\n<li>Data harvesting scripts that capture input in webpage forms&nbsp;<\/li>\n\n\n\n<li>Automated deployment tools for quick setup&nbsp;<\/li>\n\n\n\n<li>Bypass techniques such as reverse proxies that intercept multi-factor authentication&nbsp;<\/li>\n\n\n\n<li>Server-side components that manage the data collected from victims&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Some notable Phishkits&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>16Shop<\/strong>: targeted Apple, PayPal, and Amazon users and was distributed as a subscription service.&nbsp;<\/li>\n\n\n\n<li><strong>Evilginx2<\/strong>: a framework to intercept authentication tokens that helped to bypass MFA.&nbsp;<\/li>\n\n\n\n<li><strong>BulletProofLink<\/strong>: a PHaaS platform that offered pre-hosted phishing pages and even reused stolen credentials to maximize profit.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-1024x578.png\" alt=\"\" class=\"wp-image-11680\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/greatness_phishkit.png 1854w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Example of a Greatness phishkit attack analyzed in ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Greatness<\/strong>: targets Microsoft 365 users and can dynamically generate fake login pages customized for the victim.&nbsp;<\/li>\n\n\n\n<li><strong>GoPhish<\/strong>: an open-source framework meant for businesses to test their exposure to phishing by imitating attacks but also used maliciously.&nbsp;<\/li>\n\n\n\n<li><strong>King Phisher<\/strong>: offers advanced features like campaign management and cloning of websites.&nbsp;<\/li>\n\n\n\n<li><strong>Blitz<\/strong>: known for its simplicity and quick creation of phishing webpages.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why Phishkits are a serious issue for businesses&nbsp;<\/h2>\n\n\n\n<p>Phishing kits are employed to attack both individuals and organizations, but they represent a specific threat to businesses by inviting wider audience of would-be hackers to the industry, multiplying risks and providing an increased workload to security systems. &nbsp;<br>&nbsp;<br>Besides, phishing kit attacks make it easier to turn any employee into a soft spot of the cyber security perimeter. Even targeted at people, such attacks are a headache for SOC teams. &nbsp;<br>&nbsp;<br>The features of phishkits that pose increased risks for organizations are: &nbsp;<br>&nbsp;<br><strong>Scalability<\/strong>: They allow attackers to automate and run phishing campaigns against thousands of employees simultaneously.&nbsp;<\/p>\n\n\n\n<p><strong>MFA Bypass<\/strong>: Modern phishkits integrate Adversary-in-the-Middle (AiTM) techniques to steal session cookies, bypassing multi-factor authentication.&nbsp;<\/p>\n\n\n\n<p><strong>Brand Abuse &amp; Reputation Damage<\/strong>: Phishing pages tend to impersonate well-known brands, leading to loss of their customer trust when credentials are stolen.&nbsp;<\/p>\n\n\n\n<p><strong>Supply Chain Attacks<\/strong>: Phishkits can be used to target third-party vendors and gain access to corporate networks via compromised partners.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Defusing Phishkits with Threat Intelligence&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber threat intelligence<\/a> has long proven useful in countering phishkit-based attacks. It involves gathering, analyzing, and acting upon information about current and emerging threats. For countering phishkits, it enforces:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Early detection<\/strong>: TI helps to collect the indicators of compromise associated with the use of certain phishkits and set up network monitoring for detecting the elements of phishkit infrastructure.&nbsp;<\/li>\n\n\n\n<li><strong>Behavioral Analysis<\/strong>: TI is used to analyze patterns and behaviors of phishing campaigns, to identify new kits or variations of known ones before they cause harm.\u00a0<\/li>\n\n\n\n<li><strong>Proactive Blocking<\/strong>: Intelligence feeds are used to update security systems like firewalls, email gateways, or intrusion detection systems to block known malicious domains or IPs.&nbsp;<\/li>\n\n\n\n<li><strong>Employee Training<\/strong>: By helping to understand phishkits\u2019 anatomy and behavour, TI can facilitate realistic phishing simulations based on actual threats, training staff to recognize and report phishing attempts.&nbsp;<\/li>\n\n\n\n<li><strong>Vulnerability Management<\/strong>: Seeing what types of phishkits are targeting specific sectors or technologies, organizations prioritize patching vulnerabilities or enhance security measures where they are most needed.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How to Track and Identify Phishing Kit Attacks with TI Lookup&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-1024x600.png\" alt=\"\" class=\"wp-image-11682\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-1536x901.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/ti_lookup-1.png 1837w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup lets you identify and investigate phishkit attacks<\/em> <\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup from ANY.RUN<\/a> provides access to an extensive database of the latest threat data extracted from millions of public sandbox sessions. &nbsp;<\/p>\n\n\n\n<p>It allows analysts to conduct targeted indicator searches with <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">over 40 different parameters<\/a>, from IPs and hashes to mutexes and registry keys, to enrich their existing intel on malware and phishing attacks. &nbsp;<\/p>\n\n\n\n<p>With TI Lookup, users can collect as well as pin their existing indicators to specific cyber threats. Each indicator in TI Lookup can be observed as part of wider context &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about TI Lookup<\/a>&nbsp;<\/p>\n\n\n\n<p>Threat Intelligence Lookup empowers organizations with:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Streamlined Access to Threat Information<\/strong>:&nbsp;Simplifies and speeds up the process of finding threat-related information, making it more convenient and efficient.&nbsp;<\/li>\n\n\n\n<li><strong>Detailed Insights into Attacks<\/strong>:&nbsp;Provides detailed information on attacker methods, helping to determine the most effective response measures. Deep analysis makes the actions of analysts more precise and effective.&nbsp;<\/li>\n\n\n\n<li><strong>Reduced Mean Time to Respond (MTTR):&nbsp;<\/strong>Offers quick access to key threat information, enabling analysts to make swift decisions.&nbsp;<\/li>\n\n\n\n<li><strong>Increased Detection and Response Speed<\/strong>:&nbsp;Ensures data is up-to-date, helping businesses improve the speed of detecting and responding to new threats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCollect intelligence on phishkit attacks <br>with<span class=\"highlight\"> ANY.RUN&#8217;s TI Lookup<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=how_to_track_phishkits&#038;utm_term=190225&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nGet free requests to test it\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">1. Collecting Intel on Tycoon2FA Phishkit Abusing Cloudflare Workers&nbsp;<\/h3>\n\n\n\n<p>Tycoon2FA is a phishkit that has been offered as a service to cyber criminals since 2023. This threat\u2019s specialty is adversary-in-the-middle attacks that make it possible to not only steal victims\u2019 login credentials but also bypass two-factor authentication (2FA).&nbsp;&nbsp;<\/p>\n\n\n\n<p>Tycon2FA operators make extensive use of Cloudflare Workers and Cloudflare Pages for hosting fake login forms that are abused for stealing personal data.&nbsp;&nbsp;<\/p>\n\n\n\n<p>With TI Lookup, we can collect the latest example of domains utilized for Tycoon2FA attacks using the following query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522*.workers.dev%255C%2522%2522,%2522dateRange%2522:30%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*.workers.dev&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"269\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-1024x269.png\" alt=\"\" class=\"wp-image-11667\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-1024x269.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-300x79.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-768x201.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-1536x403.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-370x97.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-270x71.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef-740x194.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagef.png 1700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Use wildcards like the asterisk in TI Lookup for more flexible searches<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup provides 49 domains, with some of them being labeled with the \u201cphishing\u201d tag. At this point, users can collect these indicators to enrich their defense.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"402\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-1024x402.png\" alt=\"\" class=\"wp-image-11664\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-1024x402.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-300x118.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-768x301.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-1536x603.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-370x145.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-270x106.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10-740x290.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image10.png 1794w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provides verdicts on known malicious indicators<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Using TI Lookup can be also helpful during triage, when you need to check if a certain Cloudflare Workers domain is malicious. As you can see in the image above, the service instantly informs you about the threat level of the queried domain.&nbsp;<\/p>\n\n\n\n<p>The Tasks tab in TI Lookup provides a list of the latest analysis reports performed in ANY.RUN\u2019s Interactive Sandbox featuring the requested domains.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-1024x726.png\" alt=\"\" class=\"wp-image-11665\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-1024x726.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-300x213.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-768x545.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-1536x1089.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-370x262.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11-740x525.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image11.png 2036w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">TI Lookup provide a list of <em>sandbox<\/em> sessions featuring the requested indicators&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Here, we can discover that Cloudflare\u2019s domain is also used by another phishing-as-a-service tool, EvilProxy.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-1024x586.png\" alt=\"\" class=\"wp-image-11668\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-1536x878.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-2048x1171.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image12-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Outlook page created with the help of a phishing kit<\/em> <\/figcaption><\/figure><\/div>\n\n\n<p>If you want to dig deeper, you can open any of these reports inside the sandbox and observe real-world attacks as they unfolded and rerun analysis of these URLs yourself.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet 50 free <span class=\"highlight\">TI Lookup<\/span> requests to try it in your organization&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=how_to_track_phishkits&#038;utm_term=190225&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nTry it \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Researching Phishkit Campaigns via Suricata rules&nbsp;&nbsp;<\/h3>\n\n\n\n<p>Threat Intelligence Lookup supports search by Suricata IDS rules. Add a rule ID (SID) and see an assortment of incidents where the same rule was triggered.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"393\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-1024x393.png\" alt=\"\" class=\"wp-image-11670\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-1024x393.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-300x115.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-768x294.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-370x142.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-270x104.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13-740x284.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image13.png 1184w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule for detecting social engineering attempts<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s use the rule with the class \u201cPossible social engineering attempted\u201d via the following query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataID:%255C%25228001050%255C%2522%2522,%2522dateRange%2522:30%7D\" target=\"_blank\" rel=\"noreferrer noopener\">suricataID:&#8221;8001050&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"723\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-1024x723.png\" alt=\"\" class=\"wp-image-11674\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-1024x723.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-300x212.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-768x542.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-1536x1085.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-370x261.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14-740x523.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image14.png 2036w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search by Suricata rule to uncover more examples of phishkit attacks<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Among the results, we can see examples of Gabagool and Sneaky2FA phishing kit attacks, as well as Tycoon2FA\u2019s which are linked to the Storm1747 APT. <\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/track-advanced-persistent-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more on how to track APTs<\/a><\/p>\n\n\n\n<p>You can download data on all of these samples, which includes hashes, and use it to further enrich your security systems. As always, you can also explore each report in detail to collect even more insights into these attacks.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"391\" height=\"376\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image15.png\" alt=\"\" class=\"wp-image-11672\" style=\"width:245px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image15.png 391w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image15-300x288.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image15-370x356.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image15-270x260.png 270w\" sizes=\"(max-width: 391px) 100vw, 391px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup lets you receive fresh updates on the results for any query<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup also lets you <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-notifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">automatically receive notifications<\/a> about the new results available for specific search queries. All you need to do is click the bell icon, and all of the updates will be displayed in the left side menu.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Tracking new samples of Mamba2FA Phishkit&nbsp;<\/h3>\n\n\n\n<p>If your organization has been previously attacked with a certain phishing kit, then you can easily stay updated on the newest indicators related to it.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s take Mamba2FA as an example. It is a widely utilized phishkit that has been used in numerous attacks against businesses in the financial and manufacturing sectors.&nbsp;<\/p>\n\n\n\n<p>With a simple query that combines the name of the phishkit with an empty domain name field, we can quickly discover both new attacks, as well as network indicators like domains and URLs recorded during sandbox analysis:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522mamba%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;mamba&#8221; AND domainName:&#8221;&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"594\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-1024x594.png\" alt=\"\" class=\"wp-image-11676\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-1024x594.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-768x446.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-1536x892.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16-740x430.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image16.png 1831w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provides a wealth of threat data on phishing kit attacks<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Learn more about proactively identifying Mamba2FA attacks in the <a href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">article by a phishing analyst<\/a>.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Enrich your threat knowledge with TI Lookup\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to Track Emerging Cyber Threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nCheck out expert guide to collecting intelligence on emerging threats with <span class=\"highlight\">TI Lookup<\/span>\n\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;&nbsp;<\/h2>\n\n\n\n<p>Security experts are far from underestimating the risks behind phishing kits. They don\u2019t just open gates to a mass of low-skilled beginners to the cybercrime market. They abuse known brands and trademarks by impersonating their resources, employ sophisticated infiltration and anti-evasion techniques, and are constantly evolving.&nbsp;&nbsp;<\/p>\n\n\n\n<p>To avoid financial and reputational loss, organizations should consider investing in high-end threat intelligence solutions as well as emphasize employee educating and training.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_to_track_phishkits&amp;utm_term=190225&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial of ANY.RUN&#8217;s services \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing kits have invested greatly in the popularity of phishing. They drop the entry threshold for cybercriminals enabling even low-skilled hackers to conduct successful attacks. &nbsp; In general, a phishing kit is a set of tools for creating convincing fake webpages, sites, or emails that trick users into divulging sensitive information like passwords or credit [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":11695,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,54,15],"class_list":["post-11659","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-features","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Identify and Investigate Phishing Kit Attacks - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn to identify and investigate phishing kit attacks with Threat Intelligence Lookup from ANY.RUN to proactively defend your organization.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Identify and Investigate Phishing Kit Attacks\",\"datePublished\":\"2025-02-19T10:55:23+00:00\",\"dateModified\":\"2025-03-04T06:08:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\"},\"wordCount\":1710,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\",\"malware\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\",\"name\":\"How to Identify and Investigate Phishing Kit Attacks - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-02-19T10:55:23+00:00\",\"dateModified\":\"2025-03-04T06:08:02+00:00\",\"description\":\"Learn to identify and investigate phishing kit attacks with Threat Intelligence Lookup from ANY.RUN to proactively defend your organization.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Identify and Investigate Phishing Kit Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Identify and Investigate Phishing Kit Attacks - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn to identify and investigate phishing kit attacks with Threat Intelligence Lookup from ANY.RUN to proactively defend your organization.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How to Identify and Investigate Phishing Kit Attacks","datePublished":"2025-02-19T10:55:23+00:00","dateModified":"2025-03-04T06:08:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/"},"wordCount":1710,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features","malware"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/","name":"How to Identify and Investigate Phishing Kit Attacks - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-02-19T10:55:23+00:00","dateModified":"2025-03-04T06:08:02+00:00","description":"Learn to identify and investigate phishing kit attacks with Threat Intelligence Lookup from ANY.RUN to proactively defend your organization.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How to Identify and Investigate Phishing Kit Attacks"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11659"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=11659"}],"version-history":[{"count":25,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11659\/revisions"}],"predecessor-version":[{"id":11945,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11659\/revisions\/11945"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/11695"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=11659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=11659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=11659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}