top of page

Subscribe to our newsletter

AI-Driven Phishing Kits Target Microsoft 365 and European Banks with Advanced MFA Bypass Techniques

  • Rescana
  • 2 days ago
  • 4 min read
Image for post about New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale


Rescana Cybersecurity Threat Intelligence Report

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

Date: December 2025Prepared by: Rescana OSINT Cybersecurity Research TeamPrimary Sources:The Hacker News, Zscaler ThreatLabz, Barracuda, Abnormal Security, Varonis, ANY.RUN


Executive Summary

In late 2025, researchers identified a new generation of advanced phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that leverage artificial intelligence and sophisticated multi-factor authentication (MFA) bypass tactics. These kits are being actively sold and used in the wild, enabling credential theft at unprecedented scale and sophistication. This report details their technical capabilities, exploitation methods, observed campaigns, and relevant indicators of compromise (IOCs).


1. BlackForce

  • First Detected: August 2025

  • Capabilities: Credential theft, Man-in-the-Browser (MitB) attacks, OTP/MFA bypass

  • Distribution: Sold on Telegram for €200–€300

  • Brands Targeted: Disney, Netflix, DHL, UPS, and more (11+ brands)

  • Technical Details:

  • Uses JavaScript files with cache-busting hashes (e.g.,

    index-[hash].js

    )

  • Filters out security vendors, crawlers, and scanners

  • Credentials and MFA codes are exfiltrated in real-time to Telegram bots and C2 panels via Axios HTTP client

  • After successful attack, victim is redirected to the legitimate site to avoid suspicion

  • Versions Observed: Version 3 (widely used until early August 2025), Versions 4 and 5 (released in subsequent months)

  • Exploitation in the Wild: Active campaigns observed targeting major consumer brands; ongoing development with new versions released monthly


2. GhostFrame

  • First Detected: September 2025

  • Capabilities: Stealth phishing via HTML/iframe, anti-analysis, anti-debugging, dynamic subdomains

  • Targets: Microsoft 365, Google accounts

  • Technical Details:

  • Malicious behavior hidden in embedded iframes

  • Loader script sets up iframe, changes page title/favicon, and can redirect browser

  • Generates random subdomains per visit, complicating detection and blocking

  • Fallback iframe mechanism if loader JS is blocked

  • Exploitation in the Wild: Over 1 million attacks observed; phishing emails themed as contracts, invoices, password resets


3. InboxPrime AI

  • Distribution: Sold as malware-as-a-service (MaaS) on Telegram (1,300+ members), $1,000/license

  • Capabilities: AI-powered mass phishing, automated campaign generation, evasion of email filters

  • Technical Details:

  • Mimics human emailing behavior, leverages Gmail web interface

  • AI-generated emails with customizable parameters (language, topic, tone)

  • Spintax support for unique message variations

  • Real-time spam diagnostic and sender identity spoofing

  • Exploitation in the Wild: Used to launch high-volume, highly personalized phishing campaigns across industries


4. Spiderman

  • Targets: European banks and financial services (Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, PayPal, etc.)

  • Distribution: Sold via Signal (750+ members)

  • Capabilities: Pixel-perfect replicas of banking portals, session management, OTP/PhotoTAN interception, crypto wallet seed phrase theft

  • Technical Details:

  • ISP allowlisting, geofencing, device filtering

  • Multi-step phishing workflow with session continuity

  • Exploitation in the Wild: Focused on Germany, Austria, Switzerland, Belgium; used in European banking fraud


Hybrid and Evolving Threats

  • Salty-Tycoon 2FA Hybrid: New phishing campaigns combine Salty 2FA and Tycoon 2FA kits, bypassing detection rules and complicating attribution. Tycoon 2FA acts as a fallback if Salty infrastructure fails.

  • Other Kits: Sneaky 2FA, Whisper 2FA, Cephas, Astaroth (not the Windows trojan) are also active in the ecosystem.


Affected Product Versions

Based on observed campaigns and technical analysis, the following product types and versions are affected:

  • Microsoft 365 (all current web and cloud versions)

  • Google Accounts (all current web and cloud versions)

  • Major European online banking portals (current web portals for: Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, PayPal, and others)

  • Consumer brands’ web login portals (Disney, Netflix, DHL, UPS, and at least 7 others, all current web login versions)

  • Gmail web interface (InboxPrime AI leverages this for phishing delivery)

  • Any organization using web-based MFA/OTP authentication for user logins

Note: These kits target the web interfaces and authentication flows, not specific software versions, but all current (2024–2025) web and cloud versions of the above services are confirmed as affected in the wild.


Indicators of Compromise (IOCs)

  • Domains/Subdomains: Frequently changing, random subdomains (GhostFrame)

  • JavaScript Filenames:

    index-[hash].js

    (BlackForce)

  • C2 Channels: Telegram bots, Signal groups, HTTP(S) endpoints

  • Email Subjects: Contracts, invoices, password resets, banking notifications

  • Phishing URLs: Mimic legitimate login pages for Microsoft 365, Google, European banks


MITRE ATT&CK Mapping

  • T1566.001 (Phishing: Spearphishing Attachment/Link)

  • T1110 (Brute Force)

  • T1556 (Modify Authentication Process)

  • T1557 (Man-in-the-Middle)

  • T1114 (Email Collection)

  • T1078 (Valid Accounts)


APT Groups

  • Attribution: No direct attribution to specific APT groups as of this report. The tactics and sophistication are consistent with financially motivated cybercriminal groups and some state-aligned actors. Spiderman is heavily used in European banking fraud, suggesting a focus on financial gain rather than espionage.


Exploitation in the Wild

  • Observed Campaigns:

  • BlackForce and GhostFrame have been used in large-scale credential harvesting campaigns targeting both consumers and enterprises.

  • InboxPrime AI is enabling less-skilled actors to launch high-volume, highly personalized phishing attacks.

  • Spiderman is actively used in European banking fraud, with real-time session hijacking and OTP interception.


References


MITRE ATT&CK and Threat Actor Links




About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our platform leverages advanced threat intelligence, automation, and continuous monitoring to help organizations stay ahead of emerging threats and maintain robust cyber resilience. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.

bottom of page