Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Security

Anatomy of a Modern Phishing Campaign

Jesse William McGrawBy Jesse William McGrawApril 26, 2026No Comments5 Mins Read21 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Multi-stage phishing kit funnel transforming emails into stolen credentials
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

The popular image of phishing, clumsy grammar, obvious lures, suspect URLs, is twenty years out of date. Modern phishing in 2026 is operationally professional, technically capable, and surprisingly hard to spot even for security-aware users. Pulling apart a contemporary campaign reveals a supply chain almost as differentiated as the ransomware ecosystem it often feeds.

Stage 1: Lure design

The starting point is a pretext. The pretexts that work in 2026 are not the Nigerian prince; they are the boring HR notification, the vendor invoice, the shared OneDrive document, the DocuSign signature request, the Teams chat from a colleague. The Anti-Phishing Working Group’s quarterly trends report at apwg.org/trendsreports consistently shows that fewer than ten brands account for the bulk of credential-phishing impersonations: Microsoft, Google, DHL, USPS, banks, and major SaaS providers.

LLM-generated copy has eliminated the grammar tells. ChatGPT, Claude, and open-weight models produce native-quality English, French, German, Mandarin, and Polish phishing emails on demand. Researchers at Mandiant, IBM X-Force, and Sophos have all documented the shift to LLM-assisted lures across 2024 and 2025. The visible quality of phishing has gone up; the click-through rate has gone up with it.

Stage 2: Infrastructure

A modern phishing operation needs four things on the network side:

A domain that looks plausible. Typically a freshly registered lookalike (microsoftt-365.com, secure-docusign-portal.net) or, increasingly, a hijacked subdomain of a legitimate but neglected site. The MOVEit-era trend of dangling DNS records pointing to attacker-controlled cloud resources continues.

A TLS certificate. Free via Let’s Encrypt or other ACME providers. The padlock in the browser carries no useful security signal in 2026 and has not for a decade.

Hosting that survives takedowns long enough to harvest. Cloudflare Workers, Vercel, Netlify, Replit, and Pages-style hosting are heavily abused because they offer free, fast, ephemeral edge hosting. Kits also rotate through bulletproof hosters in jurisdictions that ignore takedown requests.

A delivery channel. Direct-to-MX is dead at scale because of Microsoft and Google’s spam filtering; modern campaigns abuse compromised mailboxes (sending from real, signed corporate accounts), legitimate marketing platforms (Mailchimp, SendGrid abuse), and increasingly LinkedIn, Teams, and SMS as side channels.

Stage 3: The phishing kit

Five years ago a phishing kit was a static HTML clone of a login page. In 2026 it is a fully featured adversary-in-the-middle proxy. The two dominant kits at the time of writing are Tycoon 2FA and Mamba 2FA, both sold as services on Telegram for low hundreds of dollars per month. Open-source ancestors include Evilginx, Modlishka, and Muraena.

What the modern kit does:

Renders the legitimate login page in real-time by proxying the actual Microsoft / Google / Okta service. The user sees a perfect copy because it is a perfect copy.

Captures the username, password, and second factor (TOTP code, push approval, SMS) as the user submits them.

Forwards everything to the real service. The user gets a successful login. The attacker captures the resulting session cookie.

Replays the cookie from attacker infrastructure, bypassing MFA entirely. From the application’s perspective, the session is a continuation of the legitimate login.

Modern kits also harvest device fingerprints, persist cookies through token refresh, and integrate with Telegram bots that ping the attacker the moment a high-value target authenticates.

This is what defeats SMS MFA, TOTP MFA, and push MFA. It does not defeat WebAuthn or passkeys, because the cryptography is bound to the legitimate origin and the AiTM proxy is, by definition, not at the legitimate origin.

Stage 4: Initial action

What happens after capture depends on the operator.

Credential commodity sale. The cheapest path: sell the captured username/password to an Initial Access Broker on a Russian-language forum. Going price for valid corporate credentials with active session: $200 to several thousand dollars depending on the company.

Targeted exfiltration. The credentials are used to read email, search SharePoint and OneDrive for sensitive documents, and exfiltrate them. Business email compromise (BEC) campaigns often stop here.

Pivot to ransomware. Increasingly the path: an Initial Access Broker sells the access to a ransomware affiliate who treats it as the foothold for a multi-week intrusion. Modern ransomware groups including Akira, BlackCat (when active), and RansomHub heavily source initial access from phishing-derived credentials.

Account takeover for fraud. Wire-transfer fraud, payroll redirection, vendor impersonation. The FBI’s IC3 reported $2.9 billion in BEC-related losses in their 2023 report, available at ic3.gov/Media/PDF/AnnualReport.

Stage 5: Persistence

A captured session is good for hours to days. Smart operators use it to establish durable access:

Add a federated identity provider or enterprise application that they control.

Register a new MFA method (their own authenticator) for the compromised account.

Create new mailbox forwarding rules that copy interesting threads to attacker mailboxes.

Add OAuth applications with broad scopes that survive password resets.

Microsoft’s documentation at learn.microsoft.com/en-us/defender-xdr/anomalous-token describes the detection patterns for this persistence layer; few organisations actively monitor for it.

What stops the campaign

In rough order of effectiveness:

Phishing-resistant MFA on every account. WebAuthn / passkeys break the AiTM proxy because the cryptography refuses to authenticate to the wrong origin. This is the single highest-leverage control.

Conditional access policies that require managed devices for sensitive applications. Even if credentials and a session cookie are captured, an attacker connecting from an unmanaged device fails the device-posture check.

Email authentication that actually rejects spoofs: SPF, DKIM, and DMARC at p=reject. The Internet Society’s MAAWG reports show that only a minority of corporate domains operate at p=reject as of 2025. The remainder are accepting spoof email.

User reporting culture. The "report phish" button in Outlook and Gmail is the cheapest detection signal in the building. Organisations that respond visibly to user reports, close the loop, thank the reporter, share findings, see an order-of-magnitude better signal-to-noise.

User training, by itself, is the lowest-leverage control on this list. It is necessary; it is not sufficient. The phishing supply chain has industrialised. The defensive response has to be architectural, not aspirational.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticlePhishing-Resistant MFA: Which Authentication Methods Actually Work in 2026
Next Article Patch Management: Why So Many Organizations Get It Wrong
Jesse William McGraw

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

FortiBleed: 75,000 cracked Fortinet firewalls, no zero-day needed

June 18, 2026

Top infostealer families in 2026: Lumma, RedLine, Vidar, StealC, and the new entrants

June 8, 2026

Stealer logs explained: what they hold, how they leak, and how to check yours

June 8, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.