Last Updated on April 30, 2026 by Arnav Sharma
MFA was supposed to fix phishing. That was the pitch for years. Turn on multi-factor authentication and you could sleep a bit easier knowing that a stolen password alone wouldn’t get an attacker into your environment.
That assumption is dead.
The phishing game has shifted hard over the past two years, and the driver behind that shift has a name: Phishing-as-a-Service, or PhaaS. These are subscription-based phishing kits sold on Telegram and dark web forums, complete with campaign dashboards, email templates, anti-bot protections, and real-time credential exfiltration via Telegram alerts. Some even come with customer support.
If that sounds like a SaaS product, it should. Because that’s exactly what it is, just pointed in the wrong direction.
How Big Is This Problem?
The numbers tell the story. Barracuda reported that 60% to 70% of phishing attacks observed since early 2025 originated from PhaaS kits. That’s not a niche threat. That’s the majority of phishing attacks running on off-the-shelf tooling.
And the eSentire 2026 Threat Report found that PhaaS kits were behind 63% of all account compromise incidents they tracked. Account compromise itself surged 389% year-over-year.
The pattern here is clear: attackers don’t need to build their own infrastructure anymore. They rent it.
The Kits Running the Show
Here’s a look at the major PhaaS kits in active circulation right now, along with what they cost. Yes, there are price lists. That’s the world we’re in.
| Kit | Pricing | Distribution | Key Technique |
|---|---|---|---|
| Tycoon 2FA | $120 / 10 days, $350 / month | Telegram, Signal | Synchronous relay, session cookie theft |
| Evilginx | Free (open-source) | GitHub | Reverse proxy |
| EvilProxy | $150 / 10 days, $400 / month (up to $600/month for Google targets) | Dark web forums, Telegram | Managed reverse proxy |
| Sneaky 2FA | Sold via Telegram (pricing not public) | Telegram | Browser-in-the-Browser pop-ups |
| FlowerStorm | Subscription-based (pricing not public) | Underground forums | AiTM-as-a-Service |
| SessionShark | Subscription tiers (pricing not public) | Underground forums, Telegram | Session token theft, Cloudflare-backed |
The pricing tells you something about how commoditised this market has become. For less than the cost of a legitimate SaaS tool, an attacker gets a full campaign platform with MFA bypass built in.
Tycoon 2FA
The dominant player by a wide margin. Microsoft and Barracuda both estimate Tycoon 2FA powers roughly 76% of PhaaS attacks. The kit was sold on Telegram and Signal starting at $120 for 10 days of panel access, or $350 per month. At peak, campaigns using Tycoon 2FA were pushing tens of millions of phishing messages per month, hitting over 500,000 organisations.
Tycoon 2FA uses a synchronous relay server that clones the real Microsoft 365 or Google login page. The victim authenticates normally (including completing their MFA challenge), and the kit intercepts the session cookie as it’s created. No need to crack the password. No need to bypass MFA. The victim does the work for you.
Microsoft’s Digital Crimes Unit, working with Europol, disrupted Tycoon 2FA’s infrastructure in early 2026. But the cat’s already out of the bag. The approach has been cloned and adapted by newer kits.
Evilginx
Evilginx started as an open-source reverse proxy tool built for red teamers. The code is free, well-documented, and easy to set up. Naturally, attackers adopted it. Microsoft has tracked Evilginx-based infrastructure tied to Storm-0485 and the Russian state-affiliated group Star Blizzard. It’s the Swiss Army knife of the PhaaS world.
EvilProxy
A managed reverse proxy service that does most of the heavy lifting for the attacker. Minimal technical skill required. Sekoia tracked roughly 280 distinct active EvilProxy servers running at any given time through 2024 and into 2025. It accounts for about 8% of observed PhaaS attacks.
Sneaky 2FA
Sold on Telegram, Sneaky 2FA takes a different approach by using browser-in-the-browser (BitB) pop-ups. These pop-ups mimic real browser windows, making the phishing page look more convincing. The kit also adapts its appearance based on the victim’s OS and browser, which makes it harder to spot.
FlowerStorm
An AiTM-as-a-Service platform that was pulling around one million page visits per month, with an estimated 500+ active operators. FlowerStorm represents the more “enterprise” end of the PhaaS market, if you can call it that.
SessionShark
A newer kit that surfaced in early 2025, purpose-built for stealing active Microsoft 365 sessions. SessionShark sends real-time Telegram alerts when credentials and session tokens are captured. It integrates with Cloudflare for stealth and resilience against takedowns.
The 2025 Wave
And the market keeps growing. Mamba 2FA, CoGUI, Cephas, Whisper 2FA, GhostFrame, Salty2FA, NakedPages, and others have all appeared or gained traction. Each one iterates on the same core concept: sit between the victim and the real login page, let MFA happen, steal the session.
Why MFA Alone Doesn’t Cut It Anymore
The thing all of these kits have in common is the Adversary-in-the-Middle (AiTM) technique. The attacker’s server acts as a reverse proxy (or synchronous relay) between the victim and the real identity provider. The victim sees the real login page. They type their real password. They complete their real MFA challenge. And the kit captures the session cookie that comes back.
From the identity provider’s perspective, a legitimate authentication just happened. There’s no failed login attempt to flag. No anomalous MFA denial. No malware on the endpoint. The attacker just walks in with a valid session token.
CrowdStrike’s 2026 Global Threat Report noted that 82% of detections in 2025 were malware-free. Attackers aren’t breaking in. They’re logging in.
What Actually Helps
If MFA alone doesn’t stop these attacks, what does? A few things:
- Phishing-resistant authentication: FIDO2 security keys and passkeys are bound to the legitimate domain. Even if a victim lands on a proxy page and enters their credentials, the FIDO2 challenge won’t complete because the domain doesn’t match. It’s the strongest single control against AiTM phishing right now. But it’s not a silver bullet. Attackers have started experimenting with downgrade attacks that force fallback to weaker MFA methods.
- Token protection and session monitoring: Conditional Access policies in Entra ID can enforce token binding and flag token replay from unexpected locations or devices. If an attacker tries to use a stolen session cookie from a different IP or device, the policy can step in. You should also be monitoring for impossible travel, unusual sign-in patterns, and session anomalies.
- Browser-level visibility: One of the blind spots most security teams have is the browser itself. Push Security and others have been making the case that since all of these attacks happen in the browser, that’s where detection needs to live. Approaches include checking for reverse proxy indicators in the page context, flagging credential entry on non-corporate domains, and detecting BitB pop-ups.
- Continuous access evaluation: Don’t just authenticate once and trust the session for hours. Microsoft’s Continuous Access Evaluation (CAE) can revoke sessions in near real-time based on risk signals, which limits the window an attacker has to use a stolen token.
- User awareness that matches the actual threat: Most phishing training still teaches people to look for misspelled URLs and bad grammar. These kits produce pixel-perfect replicas of real login pages, often proxied through the real service. The training needs to catch up. Teach people to be suspicious of unexpected login prompts, to check the URL bar carefully (look for subtle domain mismatches, not typos), and to report anything that feels off even if it “looked real.”
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.