Not long ago, running a convincing phishing campaign took real skill: clone a login page, host it, dodge takedowns, harvest credentials, and ideally beat multi-factor authentication. That barrier kept a lot of would-be attackers out. It’s gone. Today an attacker with almost no technical ability can rent a complete, professionally maintained phishing operation for the price of a streaming subscription. The thing they’re renting is a phishing kit.
What a phishing kit actually is
A phishing kit is a pre-packaged toolkit for running an attack: the HTML, CSS and JavaScript to reproduce a target’s login page pixel-for-pixel, plus the back-end that captures whatever the victim types. The modern evolution is phishing-as-a-service (PhaaS) — not a file you download but a subscription you rent, with a dashboard to configure campaigns, ready-made templates, hosting, victim tracking and built-in evasion. [1] It is, in every meaningful sense, a software product, complete with pricing tiers, updates and customer support over Telegram.
Why they’ve become so popular
- They erase the skill barrier. Intuitive dashboards and templates let a novice launch a sophisticated campaign in minutes. [2]
- They’re cheap, with extraordinary ROI. Tycoon 2FA sold from $120 for ten days; some kits go for under $25. [1][3]
- They bypass MFA. Many operate as adversary-in-the-middle reverse proxies: the victim logs in through the attacker’s server, completes the genuine MFA prompt, and the attacker captures the session cookie that says “already logged in.” [5] Microsoft attributed 80% of MFA-bypass breaches to session-token theft. [6]
- They’re built to evade detection. Anti-bot checks, IP filtering, cloaking, obfuscation, even Cloudflare Turnstile challenges keep scanners away from the page. [2]
- The market is resilient. Take down one platform and customers move to the next. New variants appear constantly.
The scale this has created
By 2025, a single platform reportedly pushed more than 30 million malicious emails in one month to over 500,000 organizations, and accounted for 62% of phishing attempts Microsoft blocked by mid-year. [3] This is no longer a cottage industry of lone scammers. It’s a supply chain.
Why this matters for defenders
The phishing-kit era breaks two comfortable assumptions. First, “we have MFA” is no longer a finish line — AiTM kits are designed to defeat it; MFA is table stakes, not a solution. Second, you can’t rely on the page looking wrong — kits produce pixel-perfect clones with valid padlocks and evasion built in.
Catch the page, not the blocklist
Kits rotate domains constantly to stay ahead of blocklists. SafeToOpen judges the page itself, in real time — even one it’s never seen.
How Browser Security works →What still works is judging the page and message on their own merits, as they load, rather than waiting for them to appear on a blocklist after someone’s already been caught. The attackers turned phishing into a product. The defense has to be just as systematic.