Recent cybersecurity research has uncovered four sophisticated phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that utilize artificial intelligence and advanced evasion tactics to steal user credentials at scale. BlackForce, first identified in August 2025, is particularly notable for its capability to conduct Man-in-the-Browser (MitB) attacks, enabling it to intercept one-time passwords (OTPs) and effectively bypass multi-factor authentication (MFA) protections. These kits automate the phishing process, increasing the volume and success rate of credential theft campaigns. The use of AI allows these kits to craft more convincing phishing pages and potentially adapt dynamically to evade detection. By capturing both primary credentials and secondary authentication tokens, these kits undermine the security benefits of MFA, which many organizations rely on to secure user access. Although no known exploits have been reported in the wild yet, the technical sophistication and scale potential make these kits a significant emerging threat. The kits do not require complex user interaction beyond standard phishing engagement, making them accessible to a wide range of attackers. The threat landscape is evolving as attackers integrate AI and MitB techniques to circumvent traditional security controls, necessitating updated defensive strategies.

For European organizations, the emergence of these advanced phishing kits poses a critical risk to the confidentiality and integrity of user credentials and sensitive data. Organizations with widespread MFA deployment may experience a false sense of security, as these kits specifically target MFA mechanisms to bypass them. Successful credential theft can lead to unauthorized access to corporate networks, financial fraud, data breaches, and disruption of services. The automation and AI-driven nature of these kits allow attackers to scale attacks rapidly, increasing the likelihood of successful compromises across multiple sectors including finance, healthcare, government, and critical infrastructure. The potential for Man-in-the-Browser attacks further exacerbates the threat by enabling attackers to manipulate transactions and communications in real-time without detection. This could lead to significant financial losses, reputational damage, and regulatory penalties under GDPR for failure to protect personal data. The evolving threat landscape demands heightened vigilance and adaptive security measures to mitigate these risks effectively.

European organizations should implement multi-layered defenses beyond standard MFA to mitigate these threats. Deploy phishing-resistant MFA methods such as hardware security keys (FIDO2/WebAuthn) or certificate-based authentication that are not vulnerable to MitB interception. Enhance user awareness programs focusing on recognizing sophisticated phishing tactics and the risks of interacting with unsolicited links or attachments. Implement real-time monitoring and anomaly detection systems capable of identifying unusual authentication patterns and MitB activity. Employ browser isolation or endpoint detection and response (EDR) solutions to detect and block MitB malware. Regularly update and patch all software to reduce attack surface. Conduct phishing simulation exercises to test and improve organizational resilience. Collaborate with threat intelligence sharing platforms to stay informed about emerging phishing kits and tactics. Finally, enforce strict access controls and network segmentation to limit the impact of compromised credentials.