Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone.
Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Technical analysis exposed fake Cloudflare gate's data collection
Analysis showed the fake verification page did not load official Cloudflare JavaScript and instead used client-side scripts and server-side APIs to collect browser and environment data for exfiltration. Researchers confirmed the infrastructure functioned as a malicious traffic distribution system and was not affiliated with Cloudflare.
Fake Cloudflare Turnstile phishing gate campaign observed
Researchers observed a phishing campaign using a fake Cloudflare Turnstile page as an intelligent traffic filtering gate targeting French users. The infrastructure used browser fingerprinting, geolocation, proxy detection, and redirects to a legitimate French news site to block researchers and non-target traffic while serving phishing content to likely victims.
Malicious domains for fake Cloudflare gate were newly registered
The phishing infrastructure analyzed in the campaign relied on newly registered domains used to host a fake Cloudflare Turnstile verification page and related backend services. The setup was designed to support selective victim filtering and payload delivery.
Attackers adopted advanced phishing kit evasion techniques in 2025
Throughout 2025, phishing kits were observed using AI, URL obfuscation, CAPTCHA abuse, malicious QR codes, and polymorphic techniques to improve delivery and evade detection. Named kits including Tycoon 2FA, Mamba 2FA, Cephas, Whisper 2FA, GhostFrame, Sneaky 2FA, and CoGUI were cited as examples of this trend.
Active PhaaS kits doubled during 2025
Barracuda Networks reported that the number of active phishing-as-a-service kits doubled in 2025, reflecting broader criminal adoption of more capable phishing tooling. The kits increasingly incorporated MFA bypass, evasion features, and abuse of trusted platforms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
How Phishing Kits Targeting U.S. Giants Are Built, Sold, and Deployed
socradar.io
Open sourceCybercriminals are scaling phishing attacks with ready-made kits
helpnetsecurity.com
Open sourceAnalysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate
malwr-analysis.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Mar 21, 2026
Phishing Attacks Leveraging Cloudflare Pages and Modern Phishing Kits
Threat actors are increasingly abusing free web hosting services such as Cloudflare Pages to host phishing portals that impersonate banking, insurance, and healthcare organizations. These phishing sites are designed to harvest sensitive information including credentials, security questions, and multifactor authentication codes. Attackers benefit from the speed, scale, and resilience provided by free hosting, as well as the use of mainstream messaging platforms like Telegram for exfiltration, making detection and takedown efforts more challenging for defenders. Modern phishing kits have evolved into sophisticated platforms that enable even low-skilled threat actors to deploy convincing credential-harvesting sites rapidly. These kits often include features such as admin panels, real-time credential delivery, proxy capabilities for MFA bypass, and antibot systems to evade security researchers. The accessibility and advanced capabilities of these kits, combined with the use of free hosting and messaging services, have significantly lowered the barrier to entry for large-scale phishing campaigns targeting organizations and individuals alike.
Mar 21, 2026
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026