Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
LECS 320x100 1
Banner Ransomfeed 970x120 1
Your MFA is no longer enough: Phishing kits bypass multi-factor authentication

Your MFA is no longer enough: Phishing kits bypass multi-factor authentication

23 January 2026 11:37

The amount of PhaaS kit has doubled since last year, according to an analysis by Barracuda Networks, placing increased pressure on security teams.

Aggressive newcomers Whisper 2FA and GhostFrame introduced innovative and evasive tools and tactics, including a suite of techniques to prevent malicious code analysis, while established groups like Mamba and Tycoon continued to evolve and grow. As a result, each kit was responsible for millions of attacks.

According to the analysis, the most popular tools and techniques used by phishing kits in 2025 were:

  • Bypassing multi-factor authentication, found in 48% of attacks.
  • URL obfuscation techniques, also present in 48% of cases.
  • Malicious use of CAPTCHAs to bypass defenses, in 43% of all attacks.
  • Polymorphic techniques and malicious QR codes, present in approximately 20% of attacks.
  • Malicious attachments, used in 18% of total cases.
  • Fraudulent use of trusted online platforms (10% of attacks) and generative AI tools such as zero-code development sites (also 10%).

The main themes used in phishing emails are very similar to those of previous years: in 2025, one in five phishing emails (19%) involved payment and invoice scams. Emails related to digital signatures and document review accounted for 18% of attacks, while HR-related documents accounted for 13%. Many exploited trusted brands, increasingly imitating websites and logos.

Phishing kits have taken another quantum leap in 2025, increasing both in number and sophistication, providing cybercriminals, including the most inexperienced, with advanced and comprehensive attack platforms, enabling them to launch powerful attacks at scale,” said Ashok Sakthivel, Director, Software Engineering at Barracuda . These kits leverage techniques designed to make it more difficult for users and security teams to detect and prevent fraud. To protect themselves, organizations must go beyond static defenses and adopt multi-layered strategies: user training, phishing-resistant multi-factor authentication (MFA), continuous monitoring, and ensuring that email protection is at the heart of an integrated, end-to-end security strategy .”

What to expect in 2026

In addition to traditional and consolidated approaches, Barracuda analyzed new and evolving techniques.

Phishing Kit 2.0

  • The next-generation PhaaS kit business model will feature structured subscription plans, ranging from basic phishing kits to highly targeted, sophisticated, and personalized AI-powered campaigns.
  • By the end of 2026, Barracuda predicts that over 90% of credential compromise attacks will be attributed to the use of phishing kits, which will account for over 60% of all phishing attacks.

Dynamic evasion techniques and customized payloads

Attackers will shift from static to dynamic, context-aware approaches. Advanced techniques expected to increase in volume include:

  • Malicious code hidden inside seemingly harmless image and audio files (steganography).
  • Using split and merged QR codes in attacks and introducing dynamic and multi-stage QR codes.
  • Widespread abuse of the OAuth (Open Authorization) system, often used to access apps or services without sharing a password.
  • Highly advanced URL circumvention techniques, including the use of ephemeral Blob URIs, which are a type of web address used to store data locally in the browser’s memory.
  • Dynamic code injection and fully disguised malicious scripts.

AI-powered self-adaptive campaigns

  • These AI-powered attacks will move at unprecedented speed and will feature improved encryption, deeper levels of obfuscation, and adaptive payloads.
  • Attackers are also expected to intensify their efforts to exploit AI itself, using prompt injection techniques and targeting AI agents with the aim of manipulating or compromising AI-based security tools.

MFA code theft and manipulation

  • There will be an increase in MFA code thefts via phishing, thanks to tactics such as mass push notifications for authentication and relay attacks. On the other hand, social engineering strategies will target authentication recovery flows, such as password reset codes or various account recovery options.
  • Attackers will also use social engineering in attacks that aim to simplify multifactor authentication by coercing or tricking the user into selecting an alternative, easier-to-bypass method.

Increase in CAPTCHA-based attacks

  • According to Barracuda, by the end of 2026, over 85% of phishing attacks will use CAPTCHAs to bypass automated security tools and ensure interactions are handled by a human.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.