{"id":17291,"date":"2025-12-10T10:00:49","date_gmt":"2025-12-10T10:00:49","guid":{"rendered":"\/cybersecurity-blog\/?p=17291"},"modified":"2025-12-10T10:03:16","modified_gmt":"2025-12-10T10:03:16","slug":"phishkit-attacks-101","status":"publish","type":"post","link":"\/cybersecurity-blog\/phishkit-attacks-101\/","title":{"rendered":"Phishing Kit\u00a0Attacks 101: Everything SOC Analysts Should\u00a0Know\u00a0"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/phising-types-of-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Phishing<\/a>&nbsp;used to be easy to spot. Now it looks clean, trusted, and almost perfect. Behind it are&nbsp;phishkits;&nbsp;ready-made attack platforms built to steal credentials, bypass MFA, and hijack live sessions in seconds.&nbsp;<\/p>\n\n\n\n<p>For SOC teams, one click starts the countdown. What looks like a routine alert can already be a live account takeover.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s&nbsp;how these attacks&nbsp;actually work, and how advanced SOC teams catch them&nbsp;before they spread.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&nbsp;Is a&nbsp;Phishing&nbsp;kit?&nbsp;<\/h2>\n\n\n\n<p>A&nbsp;phishing&nbsp;kit, aka&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>phishkit,<\/strong><\/a>&nbsp;is a ready-made toolkit that attackers use to launch phishing campaigns fast and at scale. Instead of building fake pages and infrastructure from scratch, they buy or rent a kit and deploy a full attack setup in minutes.&nbsp;<\/p>\n\n\n\n<p>Most&nbsp;phishkits&nbsp;come with:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fake login pages for popular services\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reverse proxy scripts to quietly intercept traffic\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Built-in MFA bypass\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Admin panels for harvesting credentials\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tools to filter out bots and security scanners\u00a0<\/li>\n<\/ul>\n\n\n\n<p>What makes&nbsp;phishkits&nbsp;especially dangerous is how little skill they now&nbsp;require. Even low-experience attackers can run advanced phishing operations using these packaged platforms; with the infrastructure, automation, and data collection already built in.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-1024x578.png\" alt=\"\" class=\"wp-image-17297\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-1024x578.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-300x169.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-768x433.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-1536x867.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-370x209.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-270x152.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6-740x417.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image-6.png 1854w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Example of a Greatness\u00a0phishkit\u00a0attack\u00a0analyzed\u00a0in ANY.RUN\u2019s Interactive Sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Detecting\u00a0phishkits\u00a0early comes down to understanding what happens\u00a0after the click. With an\u00a0<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox like ANY.RUN<\/a>, analysts can safely open suspicious links, interact with phishing pages like a real user, and\u00a0observe\u00a0the full execution chain as it unfolds. This makes it possible to expose reverse proxy\u00a0behavior, MFA capture, and credential theft in real time, often within seconds.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect phishing threats\u00a0in under 60 seconds<br>\n<span class=\"highlight\">Integrate ANY.RUN\u2019s Sandbox in your SOC<\/span>\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Phishkit_attacks_101&#038;utm_term=091225&#038;utm_content=linktoregistration\" target=\"_blank\" rel=\"noopener\">\nSign up now<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Why&nbsp;Phishkits&nbsp;Are So Dangerous for Businesses&nbsp;<\/h2>\n\n\n\n<p>Phishkits&nbsp;quietly remove the barriers that businesses rely on for protection. By sitting between the employee and the real service, these tools capture logins, MFA codes, and active sessions in real time. The result is immediate, legitimate-looking access to corporate systems.&nbsp;<\/p>\n\n\n\n<p>Once attackers get inside, the impact spreads fast. A single compromised account can&nbsp;open access&nbsp;to email threads, internal tools, cloud platforms, customer data, and even financial systems. From there, attackers blend in, send messages from trusted inboxes, reset passwords, and move deeper without triggering obvious alarms.&nbsp;<\/p>\n\n\n\n<p>What makes&nbsp;phishkits&nbsp;especially dangerous is how clean the entry point often looks.&nbsp;There\u2019s&nbsp;no malware dropped right away or a suspicious attachment. Just a normal login that&nbsp;isn\u2019t&nbsp;normal at all. This makes early detection hard and gives attackers valuable time to act before security teams even realize something is wrong.&nbsp;<\/p>\n\n\n\n<p><strong>For businesses,&nbsp;phishkits&nbsp;often lead to:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Silent data leaks<\/strong>\u00a0from email, cloud apps, and internal systems\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Business disruption<\/strong>\u00a0caused by locked accounts and broken workflows\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Direct financial losses<\/strong>\u00a0from fraud and unauthorized transactions\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Follow-up attacks<\/strong>\u00a0launched from trusted employee inboxes\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Long investigations<\/strong>\u00a0and recovery efforts that stretch on for weeks\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reputational damage<\/strong>\u00a0and loss of customer trust\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Key Detection Challenges for SOC Teams&nbsp;<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-264\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"264\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Challenge\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        What It Looks Like in Practice\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Why\u00a0It\u2019s\u00a0a Problem\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Clean phishing emails\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Messages pass basic filters and look legitimate\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No early warning at the email layer\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reverse proxy\u00a0behavior\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Users log in through a live proxy\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Logs show a \u201cnormal\u201d successful login\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Short-lived domains\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Phishing domains disappear quickly\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Blocklists\u00a0don\u2019t\u00a0update in time\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Valid credentials & sessions\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Attackers use real usernames, passwords, and MFA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No brute-force or obvious abuse signals\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No malware at first stage\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No attachment, no payload, just a web login\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File-based detection is bypassed\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Rapid attacker response\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Access is used seconds after credentials are stolen\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SOC has almost no reaction window\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-264'>\ntable#wpdtSimpleTable-264{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-264 td, table.wpdtSimpleTable264 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">How SOC Teams Can Detect&nbsp;Phishkit&nbsp;Attacks Faster&nbsp;<\/h2>\n\n\n\n<p>Speed matters with&nbsp;phishkits. The sooner a team can see the full phishing chain in action, the sooner they can&nbsp;contain&nbsp;access, block infrastructure, and stop the same kit from hitting more users. A fast investigation comes from combining&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandboxing<\/a>&nbsp;with real-time&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Send suspicious links straight to the sandbox&nbsp;<\/h3>\n\n\n\n<p>Instead of only blocking the URL, run it in an isolated environment to see what\u00a0actually happens\u00a0after the click, redirects, proxy\u00a0behavior, and the final phishing page.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"799\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-1024x799.png\" alt=\"\" class=\"wp-image-17298\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-1024x799.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-300x234.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-768x599.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-1536x1198.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-370x289.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-270x211.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-385x300.png 385w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3-740x577.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-3.png 1674w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suspicious link ready for sandbox analysis<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 2: Interact with the page like a real user&nbsp;<\/h3>\n\n\n\n<p>Phishkits&nbsp;stay quiet until someone behaves like a victim. Clicking buttons, entering test credentials, and moving through the flow helps trigger session theft, MFA capture, and hidden scripts.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Watch the full chain unfold in real time&nbsp;<\/h3>\n\n\n\n<p>A live sandbox session shows every redirect, outbound connection, script call, and credential capture attempt, not just the final page.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-1024x569.png\" alt=\"\" class=\"wp-image-17301\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-768x427.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-1536x853.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-2048x1138.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-5-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Full attack chain with\u00a0EvilProxy\u00a0and Tycoon 2FA exposed in 40 seconds inside ANY.RUN sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 4: Pull fresh IOCs as the attack runs&nbsp;<\/h3>\n\n\n\n<p>Domains, IPs, URLs, scripts, and proxy infrastructure can be extracted&nbsp;immediately&nbsp;and pushed into blocking rules and hunting queries.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"734\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-1024x734.png\" alt=\"\" class=\"wp-image-17302\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-1024x734.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-300x215.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-768x551.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-1536x1102.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-370x265.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-270x194.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2-740x531.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image4-2.png 1556w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Relevant IOCs\u00a0automatically\u00a0collected in one tab inside ANY.RUN sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 5: Enrich indicators with TI Lookup&nbsp;<\/h3>\n\n\n\n<p>With ANY.RUN&nbsp;<a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, analysts can instantly check whether the same domains, IPs, scripts, or redirect patterns were seen in past phishing or malware campaigns. This helps confirm&nbsp;phishkit&nbsp;families&nbsp;and&nbsp;link related activities.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-1024x569.png\" alt=\"\" class=\"wp-image-17303\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-768x427.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-1536x854.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-2048x1138.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image5-4-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Recent Tycoon 2FA analysis sessions found with the help of TI Lookup<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Using indicators from both the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, teams can quickly:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify\u00a0related infrastructure across past and current cases\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect active waves using the same\u00a0phishkit\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate whether a campaign is isolated or part of a larger operation\u00a0<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCollect intelligence on\u00a0phishkit\u00a0attacks<br>with\u00a0ANY.RUN\u2019s<span class=\"highlight\"> TI Lookup<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=mtt&#038;utm_medium=article&#038;utm_campaign=Phishkit_attacks_101&#038;utm_term=091225&#038;utm_content=linktotiplans\" target=\"_blank\" rel=\"noopener\">\nTry now<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This workflow turns phishing from a slow, reactive task into a fast, repeatable investigation process, with confirmation in minutes.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Track new infrastructure with Threat Intelligence Feeds&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-1024x524.png\" alt=\"\" class=\"wp-image-17305\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-1024x524.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-300x153.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-768x393.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-1536x785.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-2048x1047.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-370x189.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-270x138.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-585x300.png 585w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image6-2-740x378.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Feeds enriched with fresh data from 15.000 SOCs worldwide<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN&#8217;s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;deliver fresh, actionable indicators of compromise (IOCs) sourced directly from live attack data across 15,000 SOCs, ensuring your security infrastructure stays ahead of emerging threats.&nbsp;&nbsp;<\/p>\n\n\n\n<p>With only 1% overlap with other sources, your team gains access to previously undiscovered threat intelligence that competitors miss. Every IOC comes enriched with detailed sandbox reports and contextual metadata, providing the forensic depth needed for rapid incident response and threat hunting. Real-time updates deliver a live view of the threat landscape as attacks unfold, enabling proactive&nbsp;defense&nbsp;before threats reach your perimeter.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Integration is seamless.&nbsp;TI Feeds&nbsp;<a href=\"https:\/\/any.run\/integrations\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktointegrations\" target=\"_blank\" rel=\"noreferrer noopener\">connects directly to your existing SIEM, TIP, and SOAR platforms<\/a>&nbsp;via popular standards (STIX\/TAXII) or through dedicated API and SDK, minimizing implementation overhead while maximizing threat coverage across your entire security stack.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nExpand\u00a0threat\u00a0coverage in your SOC\u00a0<br>Rely on <span class=\"highlight\">99% unique IOCs<\/span> from TI Feeds\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Phishkit_attacks_101&#038;utm_term=091225&#038;utm_content=linktotifeeds\" target=\"_blank\" rel=\"noopener\">\nIntegrate now<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Real&nbsp;Phishkit&nbsp;Examples&nbsp;Analyzed&nbsp;inside the ANY.RUN Sandbox&nbsp;<\/h2>\n\n\n\n<p>The following examples come from real attacks and show how different&nbsp;phishkits&nbsp;operate in live environments:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TyKit: A Multi-Stage Microsoft 365\u00a0Phishkit\u00a0in Action\u00a0<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">TyKit<\/a>&nbsp;is a multi-stage phishing kit built to steal Microsoft 365 credentials at scale. It spreads through malicious SVG files that silently redirect victims to fake login pages protected by CAPTCHA and anti-bot checks. Once credentials are entered,&nbsp;they\u2019re&nbsp;sent straight to the attackers through a structured C2 API.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/78f68113-7e05-44fc-968f-811c6a84463e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with&nbsp;Tykit<\/a>&nbsp;<\/p>\n\n\n\n<p>The kit has been active since at least mid-2025 and has targeted organizations across finance, IT, government, telecom, and professional services worldwide. Its strength is simplicity: clean delivery, fast credential theft, and infrastructure&nbsp;that\u2019s&nbsp;easy to rotate.&nbsp;<\/p>\n\n\n\n<p>TyKit&nbsp;shows how modern&nbsp;phishkits&nbsp;don\u2019t&nbsp;need malware to succeed,&nbsp;just one clean login flow is enough.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tycoon 2FA: A&nbsp;Phishkit&nbsp;Built to Bypass MFA&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon 2FA<\/a>&nbsp;is a phishing-as-a-service platform designed to&nbsp;<strong>steal Microsoft 365 and Gmail accounts even when MFA is enabled<\/strong>. It works as an&nbsp;<strong>adversary-in-the-middle (AiTM)<\/strong>&nbsp;kit, using a reverse proxy to capture credentials, MFA codes, and active session cookies in real time.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7a87388b-8e07-4944-8d65-1422f56d303f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real attack exposed inside ANY.RUN sandbox<\/a>&nbsp;<\/p>\n\n\n\n<p>What sets Tycoon 2FA apart is its constant&nbsp;<strong>evasion upgrades<\/strong>. Over time, it has added:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rotating CAPTCHA systems\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Browser and sandbox fingerprinting\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-layer obfuscation (Base64, XOR, AES)\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fake 404 pages and legitimacy checks\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Long redirect chains to hide the true entry point\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Once access is captured, attackers log in using a fully valid session. From a SOC view, it often looks like a normal user login until damage is already unfolding.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mamba2FA: A Persistent Corporate&nbsp;Phishkit&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/mamba\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mamba2FA<\/a>&nbsp;is a widely used&nbsp;<strong>phishkit&nbsp;built to steal corporate credentials<\/strong>, with repeated campaigns&nbsp;observed&nbsp;against organizations in the&nbsp;<strong>finance and manufacturing sectors<\/strong>. Like&nbsp;TyKit&nbsp;and Tycoon, it relies on clean phishing flows, fast infrastructure rotation, and live credential capture to move quickly before defenders can react.&nbsp;<\/p>\n\n\n\n<p>What makes Mamba2FA especially useful as an example is how clearly it shows the value of&nbsp;<strong>tracking&nbsp;phishkits&nbsp;as ongoing campaigns, not one-off incidents<\/strong>. If your organization has already&nbsp;encountered&nbsp;a specific kit, the worst mistake is treating it as \u201cclosed.\u201d&nbsp;<\/p>\n\n\n\n<p>Using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s&nbsp;Threat&nbsp;Intelligence&nbsp;Lookup<\/strong><\/a>, analysts can instantly surface:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>New sandbox analyses tied to the same\u00a0phishkit\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fresh phishing domains and URLs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recently reused infrastructure and scripts\u00a0<\/li>\n<\/ul>\n\n\n\n<p>To find recent Mamba2FA activity, teams can use a simple query like:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22mamba%5C%22%20AND%20domainName:%5C%22%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>threatName:\u201dmamba\u201d AND&nbsp;domainName:\u201d\u201d<\/strong><\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"590\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-1024x590.png\" alt=\"\" class=\"wp-image-17306\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-1024x590.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-300x173.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-768x442.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-1536x885.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-2048x1179.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-370x213.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-270x155.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image7-740x426.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provides a wealth of threat data on phishing kit attacks<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This&nbsp;immediately&nbsp;reveals both new attacks and network indicators&nbsp;observed&nbsp;during live sandbox analysis.&nbsp;<\/p>\n\n\n\n<p>Instead of chasing isolated alerts, this approach turns&nbsp;phishkits&nbsp;like Mamba2FA into&nbsp;<strong>continuously&nbsp;monitored&nbsp;threats,<\/strong>&nbsp;making it much easier to spot repeat campaigns early and shut them down faster.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phishkit&nbsp;Evolution: Hybrid Threats&nbsp;<\/h3>\n\n\n\n<p>Phishkits&nbsp;are no longer&nbsp;operating&nbsp;in isolation. One of the most worrying shifts is the rise of&nbsp;<strong>hybrid phishing chains<\/strong>, where multiple kits are combined into a single attack. These blended campaigns mix different infrastructures, redirect logic, and credential-theft methods to make detection and attribution far more difficult.&nbsp;<\/p>\n\n\n\n<p>In recent enterprise-focused attacks, analysts have&nbsp;observed&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-tycoon2fa-hybrid-phishing-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Tycoon 2FA and Salty<\/strong><\/a><strong>&nbsp;working together in the same chain<\/strong>. One kit handles the&nbsp;initial&nbsp;lure and proxying, while the other takes over at later stages for credential capture, session hijacking, or follow-up delivery. For SOC teams, this breaks many traditional assumptions about how a \u201csingle\u201d phishing campaign should look.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/ccf7d689-7926-495d-b37f-d509536ff42b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check real-world analysis with Tycoon and Salty<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-1024x569.png\" alt=\"\" class=\"wp-image-17308\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-768x427.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-1536x853.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-2048x1138.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image8-3-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Hybrid attack with Salty and Tycoon detected inside ANY.RUN sandbox in just 35 seconds<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Hybrid chains create several challenges at once:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Indicators belong to different kits, not just one\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Redirect paths change mid-attack\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Infrastructure overlaps across separate actor groups\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detection rules based on one kit alone often miss the full picture\u00a0<\/li>\n<\/ul>\n\n\n\n<p>This evolution shows where phishing is&nbsp;heading:&nbsp;<strong>modular, flexible attack chains built from multiple commercial kits<\/strong>. For defenders, that means investigations must focus on&nbsp;behavior&nbsp;and execution&nbsp;flow, &nbsp;not&nbsp;just kit names or static indicators.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key Takeaways for SOC Readiness in 2026&nbsp;<\/h3>\n\n\n\n<p>Phishkits&nbsp;now shape how real-world phishing attacks are built, delivered, and scaled against organizations.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing is now a real-time intrusion<\/strong>, not just a user mistake. Once a link is clicked, the compromise may already be underway.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>MFA alone is no longer enough:\u00a0<\/strong>Session hijacking turns traditional MFA into a speed bump, not a barrier.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hybrid phishing chains are becoming common:\u00a0<\/strong>When multiple kits are combined in one attack, single-family detections fall short.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Behavior\u00a0matters more than static indicators:<\/strong>\u00a0Clean\u00a0emails, short-lived domains, and valid sessions leave\u00a0very little\u00a0to flag at first glance.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Speed defines outcome:\u00a0<\/strong>Minutes often decide whether an\u00a0incident stays\u00a0contained\u00a0or escalates.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Evasion must be assumed by default:\u00a0<\/strong>CAPTCHA abuse, fingerprinting, layered redirects, and sandbox checks are now standard tactics.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">See It for Yourself&nbsp;<\/h2>\n\n\n\n<p>Phishkits&nbsp;behave very differently from what logs alone can show. A live run-through exposes even the most complex phishing chains,&nbsp;from redirects and proxy logic to live credential theft, often&nbsp;<strong>within the first 60 seconds of analysis in over 90% of cases<\/strong>. That speed alone can cut investigation time dramatically and help teams act before access spreads.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">Explore interactive&nbsp;phishkit&nbsp;analysis with ANY.RUN<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;supports more than 15,000 organizations worldwide, including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Designed for speed and visibility, the solution blends&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware analysis<\/a>&nbsp;with live threat intelligence, giving SOC teams instant insight into attack&nbsp;behavior&nbsp;and the context needed to act faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p>By integrating ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Phishkit_attacks_101&amp;utm_term=091225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a>&nbsp;suite into your existing workflows, you can accelerate investigations, minimize breach impact, and build lasting resilience against evolving threats.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQ)&nbsp;<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1765360058346\"><strong class=\"schema-faq-question\">How is a\u00a0phishkit\u00a0different from regular phishing?\u00a0<\/strong> <p class=\"schema-faq-answer\">Traditional phishing often just steals usernames and passwords.\u00a0Phishkits\u00a0go much further. They can:\u00a0<br\/>&#8211; Intercept live sessions\u00a0<br\/>&#8211; Bypass MFA in real time\u00a0<br\/>&#8211; Rotate domains automatically\u00a0<br\/>&#8211; Filter out bots and security scanners\u00a0<br\/>This turns phishing into a full attack platform, not just a fake page.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360068867\"><strong class=\"schema-faq-question\">Can\u00a0phishkits\u00a0bypass MFA?\u00a0<\/strong> <p class=\"schema-faq-answer\">Yes. Many modern\u00a0phishkits\u00a0use\u00a0<strong>adversary-in-the-middle (AiTM)<\/strong>\u00a0techniques through reverse proxies. They capture credentials, MFA codes, and session cookies at the same time. Attackers then reuse the stolen session to log in without triggering MFA again.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360091922\"><strong class=\"schema-faq-question\">Do\u00a0phishkit\u00a0attacks use malware?\u00a0<\/strong> <p class=\"schema-faq-answer\">Often, no. Many\u00a0phishkit\u00a0campaigns start with\u00a0<strong>no malware at all<\/strong>. The compromise happens entirely through web-based credential theft. Malware may appear later for persistence or lateral movement, but the\u00a0initial\u00a0access is usually \u201cclean.\u201d\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360097102\"><strong class=\"schema-faq-question\">What are the most common signs of a\u00a0phishkit\u00a0attack?\u00a0<\/strong> <p class=\"schema-faq-answer\">Early warning signs may include unusual redirect chains before a login page appears, very short-lived phishing domains, CAPTCHA on unexpected login flows, new mailbox\u00a0forwarding\u00a0rules, or login activity from unfamiliar locations\u00a0immediately\u00a0after authentication.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360104949\"><strong class=\"schema-faq-question\">Is blocking phishing domains enough to stop\u00a0phishkits?\u00a0<\/strong> <p class=\"schema-faq-answer\">No. Domain blocking alone is not enough because phishing domains rotate quickly, redirect chains change constantly, and infrastructure is reused across campaigns.\u00a0Behavioral\u00a0detection and live analysis are now essential.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360118495\"><strong class=\"schema-faq-question\">Will phishing get worse with\u00a0phishkits\u00a0in 2026?\u00a0<\/strong> <p class=\"schema-faq-answer\">Yes.\u00a0Phishkits\u00a0are becoming more automated, more modular, harder to attribute, and better at evading scanners and sandboxes. Hybrid chains that combine multiple\u00a0phishkits\u00a0in one attack are already becoming common.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1765360124989\"><strong class=\"schema-faq-question\">What is the best long-term\u00a0defense\u00a0against\u00a0phishkit\u00a0attacks?\u00a0<\/strong> <p class=\"schema-faq-answer\">A strong long-term\u00a0defense\u00a0combines phishing-resistant MFA such as FIDO2 or certificate-based authentication, live sandbox analysis, continuous IOC enrichment,\u00a0<a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-in-ti-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence feeds<\/a>, and SOC playbooks built around\u00a0behavioraldetection. Because\u00a0phishkits\u00a0evolve constantly,\u00a0defense\u00a0must be continuous; not one-time.\u00a0<\/p> <\/div> <\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing&nbsp;used to be easy to spot. Now it looks clean, trusted, and almost perfect. Behind it are&nbsp;phishkits;&nbsp;ready-made attack platforms built to steal credentials, bypass MFA, and hijack live sessions in seconds.&nbsp; For SOC teams, one click starts the countdown. What looks like a routine alert can already be a live account takeover.&nbsp; Here\u2019s&nbsp;how these attacks&nbsp;actually [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[57,10,34],"class_list":["post-17291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-training","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Phishkit Attacks Explained: How SOC Teams Respond<\/title>\n<meta name=\"description\" content=\"See how today\u2019s phishing attacks work and how security teams can expose hidden chains, capture fresh IOCs, and respond faster.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"ANY.RUN\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Phishing Kit\u00a0Attacks 101: Everything SOC Analysts Should\u00a0Know\u00a0\",\n\t            \"datePublished\": \"2025-12-10T10:00:49+00:00\",\n\t            \"dateModified\": \"2025-12-10T10:03:16+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\"\n\t            },\n\t            \"wordCount\": 2469,\n\t            \"commentCount\": 0,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"malware analysis\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Analyst Training\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": [\n\t                \"WebPage\",\n\t                \"FAQPage\"\n\t            ],\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\",\n\t            \"name\": \"Phishkit Attacks Explained: How SOC Teams Respond\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2025-12-10T10:00:49+00:00\",\n\t            \"dateModified\": \"2025-12-10T10:03:16+00:00\",\n\t            \"description\": \"See how today\u2019s phishing attacks work and how security teams can expose hidden chains, capture fresh IOCs, and respond faster.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#breadcrumb\"\n\t            },\n\t            \"mainEntity\": [\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Analyst Training\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/training\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Phishing Kit\u00a0Attacks 101: Everything SOC Analysts Should\u00a0Know\u00a0\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"contentUrl\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346\",\n\t            \"position\": 1,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346\",\n\t            \"name\": \"How is a\u00a0phishkit\u00a0different from regular phishing?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Traditional phishing often just steals usernames and passwords.\u00a0Phishkits\u00a0go much further. They can:\u00a0<br\/>- Intercept live sessions\u00a0<br\/>- Bypass MFA in real time\u00a0<br\/>- Rotate domains automatically\u00a0<br\/>- Filter out bots and security scanners\u00a0<br\/>This turns phishing into a full attack platform, not just a fake page.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867\",\n\t            \"position\": 2,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867\",\n\t            \"name\": \"Can\u00a0phishkits\u00a0bypass MFA?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Yes. Many modern\u00a0phishkits\u00a0use\u00a0<strong>adversary-in-the-middle (AiTM)<\/strong>\u00a0techniques through reverse proxies. They capture credentials, MFA codes, and session cookies at the same time. Attackers then reuse the stolen session to log in without triggering MFA again.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922\",\n\t            \"position\": 3,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922\",\n\t            \"name\": \"Do\u00a0phishkit\u00a0attacks use malware?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Often, no. Many\u00a0phishkit\u00a0campaigns start with\u00a0<strong>no malware at all<\/strong>. The compromise happens entirely through web-based credential theft. Malware may appear later for persistence or lateral movement, but the\u00a0initial\u00a0access is usually \u201cclean.\u201d\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102\",\n\t            \"position\": 4,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102\",\n\t            \"name\": \"What are the most common signs of a\u00a0phishkit\u00a0attack?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Early warning signs may include unusual redirect chains before a login page appears, very short-lived phishing domains, CAPTCHA on unexpected login flows, new mailbox\u00a0forwarding\u00a0rules, or login activity from unfamiliar locations\u00a0immediately\u00a0after authentication.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949\",\n\t            \"position\": 5,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949\",\n\t            \"name\": \"Is blocking phishing domains enough to stop\u00a0phishkits?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"No. Domain blocking alone is not enough because phishing domains rotate quickly, redirect chains change constantly, and infrastructure is reused across campaigns.\u00a0Behavioral\u00a0detection and live analysis are now essential.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495\",\n\t            \"position\": 6,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495\",\n\t            \"name\": \"Will phishing get worse with\u00a0phishkits\u00a0in 2026?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Yes.\u00a0Phishkits\u00a0are becoming more automated, more modular, harder to attribute, and better at evading scanners and sandboxes. Hybrid chains that combine multiple\u00a0phishkits\u00a0in one attack are already becoming common.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989\",\n\t            \"position\": 7,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989\",\n\t            \"name\": \"What is the best long-term\u00a0defense\u00a0against\u00a0phishkit\u00a0attacks?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"A strong long-term\u00a0defense\u00a0combines phishing-resistant MFA such as FIDO2 or certificate-based authentication, live sandbox analysis, continuous IOC enrichment,\u00a0<a href=\\\"https:\/\/any.run\/cybersecurity-blog\/indicators-in-ti-feeds\/\\\" target=\\\"_blank\\\" rel=\\\"noreferrer noopener\\\">threat intelligence feeds<\/a>, and SOC playbooks built around\u00a0behavioraldetection. Because\u00a0phishkits\u00a0evolve constantly,\u00a0defense\u00a0must be continuous; not one-time.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishkit Attacks Explained: How SOC Teams Respond","description":"See how today\u2019s phishing attacks work and how security teams can expose hidden chains, capture fresh IOCs, and respond faster.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Phishing Kit\u00a0Attacks 101: Everything SOC Analysts Should\u00a0Know\u00a0","datePublished":"2025-12-10T10:00:49+00:00","dateModified":"2025-12-10T10:03:16+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/"},"wordCount":2469,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Analyst Training"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/","url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/","name":"Phishkit Attacks Explained: How SOC Teams Respond","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-12-10T10:00:49+00:00","dateModified":"2025-12-10T10:03:16+00:00","description":"See how today\u2019s phishing attacks work and how security teams can expose hidden chains, capture fresh IOCs, and respond faster.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Analyst Training","item":"https:\/\/any.run\/cybersecurity-blog\/category\/training\/"},{"@type":"ListItem","position":3,"name":"Phishing Kit\u00a0Attacks 101: Everything SOC Analysts Should\u00a0Know\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360058346","name":"How is a\u00a0phishkit\u00a0different from regular phishing?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Traditional phishing often just steals usernames and passwords.\u00a0Phishkits\u00a0go much further. They can:\u00a0<br\/>- Intercept live sessions\u00a0<br\/>- Bypass MFA in real time\u00a0<br\/>- Rotate domains automatically\u00a0<br\/>- Filter out bots and security scanners\u00a0<br\/>This turns phishing into a full attack platform, not just a fake page.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360068867","name":"Can\u00a0phishkits\u00a0bypass MFA?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes. Many modern\u00a0phishkits\u00a0use\u00a0<strong>adversary-in-the-middle (AiTM)<\/strong>\u00a0techniques through reverse proxies. They capture credentials, MFA codes, and session cookies at the same time. Attackers then reuse the stolen session to log in without triggering MFA again.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360091922","name":"Do\u00a0phishkit\u00a0attacks use malware?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Often, no. Many\u00a0phishkit\u00a0campaigns start with\u00a0<strong>no malware at all<\/strong>. The compromise happens entirely through web-based credential theft. Malware may appear later for persistence or lateral movement, but the\u00a0initial\u00a0access is usually \u201cclean.\u201d\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360097102","name":"What are the most common signs of a\u00a0phishkit\u00a0attack?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Early warning signs may include unusual redirect chains before a login page appears, very short-lived phishing domains, CAPTCHA on unexpected login flows, new mailbox\u00a0forwarding\u00a0rules, or login activity from unfamiliar locations\u00a0immediately\u00a0after authentication.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360104949","name":"Is blocking phishing domains enough to stop\u00a0phishkits?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"No. Domain blocking alone is not enough because phishing domains rotate quickly, redirect chains change constantly, and infrastructure is reused across campaigns.\u00a0Behavioral\u00a0detection and live analysis are now essential.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360118495","name":"Will phishing get worse with\u00a0phishkits\u00a0in 2026?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes.\u00a0Phishkits\u00a0are becoming more automated, more modular, harder to attribute, and better at evading scanners and sandboxes. Hybrid chains that combine multiple\u00a0phishkits\u00a0in one attack are already becoming common.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989","position":7,"url":"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/#faq-question-1765360124989","name":"What is the best long-term\u00a0defense\u00a0against\u00a0phishkit\u00a0attacks?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"A strong long-term\u00a0defense\u00a0combines phishing-resistant MFA such as FIDO2 or certificate-based authentication, live sandbox analysis, continuous IOC enrichment,\u00a0<a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-in-ti-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence feeds<\/a>, and SOC playbooks built around\u00a0behavioraldetection. Because\u00a0phishkits\u00a0evolve constantly,\u00a0defense\u00a0must be continuous; not one-time.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17291"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17291"}],"version-history":[{"count":10,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17291\/revisions"}],"predecessor-version":[{"id":17315,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17291\/revisions\/17315"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17294"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17291"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}