Why this module exists. Email-borne phishing is no longer “click this link, enter password.” Modern kits proxy the entire login flow, capture session cookies post-MFA, and let the attacker step into the authenticated session. The defender’s playbook has evolved correspondingly. This module is the current state.
The 2026 attacker playbook
The modern phishing kit is not a static credential-harvest form. It is an Adversary-in-the-Middle (AiTM) reverse proxy:
- Victim clicks the phishing link.
- The phishing kit fetches the real login page from Microsoft, Google, or the target SaaS.
- Victim sees the real page rendered through the kit’s proxy.
- Victim enters credentials. Kit forwards to the real provider, captures the credential.
- Provider sends MFA challenge. Victim completes it through the kit.
- Provider returns a session cookie. Kit captures the cookie and forwards a success page to the victim.
- Attacker now has a valid session cookie. MFA is bypassed without ever breaking it.
EvilGinx, Modlishka, and Muraena are the open-source toolkits. Commercial phishing-kits-as-a-service sell pre-configured AiTM templates for $50-200/month per target brand.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.