Threats Tagged 'phishing-as-a-service'

BlueKit operates as a mature commercial Phishing-as-a-Service platform offering 87 ready-made phishing kits targeting banks, cloud services, cryptocurrency exchanges, and global brands. The platform features subscription-based access, automated account takeover capabilities, peer-to-peer infrastructure for stealth, and integrated anti-detection tooling. BlueKit supports credential harvesting, session hijacking, and automated post-compromise workflows including password resets and passkey enrollment. The platform includes bulk SMS phishing capabilities, Telegram notifications, hardware wallet seed phrase harvesting, and integration with anti-detect browsers. Operating through Tor and clearnet domains with cryptocurrency payments, BlueKit employs a reseller model enabling white-label redistribution. The platform significantly lowers technical barriers for cybercriminals while providing enterprise-grade phishing infrastructure, posing critical threats to financial institutions, cloud environments, and cryptoc...

An investigation into phishing activity targeting users across the Middle East and North Africa uncovered SniperDz, a centralized Push-Notification-as-a-Service and Phishing-as-a-Service platform. The operation uses fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations to promote fake offers including free mobile internet packages and financial compensation. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to evade detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across financial services, social media, streaming, and gaming platforms. The infrastructure employs browser notification abuse, history manipulation creating a back-button prison, premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing for monetization. Analysis revealed over 900 suspicious domains linked to shared hosting infrastructure and a recurring VAPID public key connecting multiple campai...

MediumCampaignAlgeria#sniperdz#phishing-as-a-service#browser hijacking

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.

A sophisticated smishing and phishing operation active since the second half of 2025 has impersonated over 267 brands across 72 countries, with particular concentration in Latin America. The campaign generated 4,389 phishing domain instances, with Mexico accounting for 1,851 cases. Telecommunications is the most targeted sector with 1,754 instances, followed by financial services and consumer rewards programs. The operation employs fake Cloudflare error pages as decoys, revealing malicious content only to victims matching specific geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. Approximately 30% of infrastructure is hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain progresses from SMS lures through progressive credential harvesting, ultimately capturing complete credit card details including CVV codes.

MediumCampaignAustraliaChileColombia+3#brand impersonation#credit card theft#smishing

A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.

Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...

MediumMalwareUnited StatesArgentinaBrazil+3#ticket fraud#cryptocurrency fraud#ghost stadium

Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates.

An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.

EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.

MediumCampaignUnited StatesUnited KingdomCanada+8#device code phishing#token harvesting#microsoft 365