PHISHING kits targeting U.S. giants now operate at scale, with modern AiTM architectures capturing usernames, passwords and even MFA session cookies, enabling attackers to access accounts even after MFA challenges. By mid-2025, Tycoon 2FA alone accounted for 62% of all phishing attempts blocked by Microsoft, and reportedly sent more than 30 million malicious emails in a single month to over 500,000 organisations.
The ecosystem blends criminal and state-sponsored tooling, with Open-source AiTM frameworks used by both financially motivated actors and nation-state groups such as Russia’s Star Blizzard and Void Blizzard, and with Evilginx capable of bypassing Windows Hello for Business authentication. Pricing and distribution mirror legitimate software businesses, with Tycoon 2FA, EvilProxy, W3LL Panel and Rockstar 2FA offering subscription models, backed by Telegram channels and dark-web forums to reach buyers.
Delivery methods increasingly rely on trusted cloud infrastructure and QR code phishing alongside traditional email, as providers like Cloudflare Pages, Azure Blob Storage, Google Firebase, AWS CloudFront and Amazon S3 host phishing assets. According to Microsoft, the Evilginx phish kit has been used by multiple threat actors, from Storm-0485 to Star Blizzard, underscoring the real-world breadth of this threat.
Law enforcement actions have disrupted operations, but the market tends to rebrand and shift infrastructure quickly, leaving MFA alone inadequate and pushing organisations toward phishing-resistant authentication and continuous session monitoring.