Guest blog courtesy of Any.Run.Phishing is no longer about a poorly written email with a clumsy suspicious link. The threat landscape is dominated by phishkits: ready-made toolkits that enable even unskilled attackers to launch convincing, large-scale phishing campaigns.For businesses, SOC teams, and MSSPs, these kits represent a particularly dangerous evolution: they are cheap, constantly updated, and designed to slip past traditional security controls.
How Phishkits Emerged as Threat №1
Phishkits package everything needed to set up a phishing campaign: HTML templates, backend scripts, evasion features, and even customer support for buyers. This lowers the barrier to entry for attackers and dramatically increases the scale of attacks.For businesses, the risks are serious:
Credential theft leading to account takeovers.
Business email compromise resulting in financial fraud.
Data breaches and compliance penalties.
Ransomware enablement, since stolen credentials are often a stepping stone for larger attacks.
Phishkits function like professional software products, with regular updates and active developer communities. That’s what makes them so hard to defend against.
Modern phishing kits strive on their ability to defeat multi-factor authentication (MFA), once considered the gold standard of cybersecurity defense. These adversary-in-the-middle (AitM) attacks intercept authentication tokens and session cookies in real-time, allowing cybercriminals to maintain persistent access to compromised accounts even after password changes. This is a new generation of threats that can penetrate even well-defended enterprise environments.For business leaders, the implications are clear: traditional email security measures are no longer sufficient. The threat has evolved beyond simple credential harvesting to include comprehensive account takeovers, lateral movement within networks, and long-term persistent access that can result in devastating data breaches and operational disruption.
Detection Evasion: The Core Strength of Modern Phishkits
Traditional defenses (URL blacklists, static signatures, even some secure email gateways) struggle against modern phishkits. That’s because evasion isn’t a side feature anymore; it’s the main selling point of these tools.Some of the most common evasion techniques include:
Geo-fencing and IP filtering – showing phishing pages only to specific targets.
Dynamic Content Generation and Polymorphism – creating unique attack pages for each victim or campaign. Traditional signature-based detection systems cannot develop effective rules, as the attack surface constantly changes.
Cloaking and anti-bot checks – hiding content from crawlers, scanners, and automated detection tools.
Fast-flux hosting and domain rotation – rapidly shifting infrastructure to avoid takedowns.
MFA-bypass methods – using reverse proxies to intercept one-time passwords and push notifications.
Modern malware analysis and threat intelligence services like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup keep pace in the arms race, developing new anti-evasion techniques.
For instance, the Sandbox’s Virtual Machine settings allow an analyst to bypass geo-fencing, while the combination of the Automated Interactivity feature and the ability to manually interact with the malware like a targeted user break through anti-detection techniques.Proxy, VPN, geolocation, automated interactivity setup in the Sandbox
The Threatening Three: Active Kits Reshaping the Landscape Right Now
The current phishing ecosystem is dominated by three particularly sophisticated and active kits. Each represents a different evolution in attack methodology and has been responsible for significant financial losses across multiple sectors.
Salty2FA: The Enterprise-Grade Threat
Emerging in June 2025, this PhaaS specifically targets enterprise environments across the United States and European Union, with a particular focus on industries handling sensitive data and financial transactions. What sets Salty2FA apart is its enterprise-level approach to cybercrime — employing the same strategic planning and operational sophistication as legitimate business organizations.The kit's success lies in its ability to completely bypass two-factor authentication through sophisticated token interception and session hijacking. Security researchers have documented cases where single successful Salty2FA attacks have resulted in complete organizational compromise, with attackers maintaining persistent access for months before detection.
Tycoon2FA: The Banking Sector Specialist
Tycoon2FA has established itself as a formidable threat since its evolution in August 2023. The kit gained particular notoriety when it developed capabilities to bypass Microsoft 365 multifactor authentication by collecting and weaponizing session cookies. Recent analysis from ANY.RUN's sandbox data reveals that 26% of Tycoon2FA cases specifically targeted the banking sector — a clear indication of the kit's focus on high-value financial targets.
Storm-1167: The PhaaS Powerhouse
Storm-1167 represents the commercialization of phishing at scale. Security researchers assess with high confidence that this kit operates as part of a PhaaS offering serving hundreds of customers as of April 2025.The kit's success has spawned numerous imitators and has been linked to several high-profile breaches in the healthcare, education, and government sectors throughout 2024 and 2025.
Fighting Back: How ANY.RUN's Solutions Counter Phishing Kit Evasion
The escalating sophistication of phishing kits demands equally advanced defensive capabilities. ANY.RUN's approach to defeating evasion mechanisms is embodied in two core solutions: the Interactive Sandbox for dynamic analysis, and the Threat Intelligence Lookup for comprehensive threat correlation and investigation.
Interactive Sandbox: Penetrating the Veil of Evasion
Take the example of Salty 2FA, a phishing kit known for advanced cloaking and MFA interception. Most static tools fail to reveal its full behavior, but with ANY.RUN’s Interactive Sandbox, analysts can:
Actively engage with the phishing flow (e.g., enter fake credentials, trigger MFA requests).
CAPTCHAs are passed with Sandbox interactivity
Bypass cloaking techniques by behaving like a real victim.
Trigger different attack payloads within the same sample by configuring VM environment.
Set up virtual machine to emulate user environment.
Select analysis environments located within the target geographic regions, effectively bypassing geo-blocking measures.
Observe the complete attack chain in real time.
Threat-related processes detected by the Sandbox along phishkit Mamba 2FA detonationThis hands-on approach exposes behaviors that traditional automated sandboxes simply miss and ensures that all potential attack vectors are identified and documented.
See for example a sandbox analysis of Salty 2FA sample where analyst heeds to scan a QR code: QR code scanned in the Sandbox to open the malicious linkPhishkit developers rely on QR codes to evade detection since a surprising number of sandboxed and other malware analysis solutions still fail to automatically scan them and extract embedded links. ANY.RUN’s Interactive Sandbox, however, follows the link automatically.
Threat Intelligence Lookup: Investigating and Protecting Against Phishkits
Aggregating IOCs like domains, URLs, IPs tied to phishing campaigns.
Allowing SOC and MSSP teams to pivot from a single IOC to the broader infrastructure behind an attack.
Continuously enriching SIEM/SOAR workflows with fresh intelligence.
The result: organizations can move from reactive to proactive defense, shutting down phishing operations faster and protecting users at scale.I Lookup aggregates malware samples and insights from 500K global contributors and 15K SOCs investigating real incidents, supercharging detection of stealthy kits like Salty 2FA. Even a simple query combining the threat’s name and a request for associated domains delivers a list of IOCs including URLs, IPs, and mutexes:threatName:"salty2fa" AND domainName:""Indicators linked to Salty 2FA campaigns found via TI Lookup
Integrated Defense Strategy
The combination of Interactive Sandbox analysis and Threat Intelligence Lookup creates a comprehensive defense strategy that addresses both the technical sophistication and operational scale of modern phishing threats. Organizations using this integrated approach can not only understand and analyze individual threats but also develop strategic defensive measures that remain effective against evolving attack techniques.A quick example: using TI Lookup, an analyst can highlight a selection of malware samples linked to Salty 2FA. And view the analyses in the Sandbox to explore in width and depth the common and the varying TTPs employed in attacks, and to develop the strategic approaches to corporate proactive defense:TI Lookup allows to select phishkit samples from sandbox analysis sessions
Conclusion: Staying Ahead in the Phishing Arms Race
The technical sophistication demonstrated by modern phishing kits should serve as a wake-up call for organizations still relying on perimeter-based security models. These threats don't simply breach defenses — they systematically dismantle them through careful reconnaissance, adaptive evasion, and persistent access techniques that can maintain compromise for months or even years before detection.With the right mix of interactive analysis and threat intelligence enrichment, security teams can uncover hidden phishing flows, expose MFA bypass attempts, and gather the IOCs needed to block campaigns across the enterprise.For SOCs and MSSPs tasked with protecting multiple organizations, adopting solutions like ANY.RUN’s Interactive Sandbox and Threat intelligence Lookup isn’t just an advantage — it’s becoming a necessity in the fight against phishing. Get full access to ANY.RUN's solutions for your SOC →
