Threat Briefing for CISOs: Staying Ahead of the Industrialized Phishing Economy

By Flare Research

Phishing has quietly crossed a strategic threshold. What began as low-effort social engineering has evolved into a fully industrialized underground economy, complete with modular tooling, subscription pricing, customer support, affiliates, and rapid innovation cycles. 

In 2026, phishing kits and phishing-as-a-service (PhaaS) platforms dominate the cybercriminal marketplace, with a clear focus on bypassing MFA, hijacking live sessions, and monetizing access at scale.

Our research, based on 8,627 distinct underground posts, shows that phishing is no longer a “commodity threat” that can be mitigated by user training and basic MFA alone. Instead, it has become a repeatable identity-compromise supply chain—one that adapts faster than most enterprise controls.

For security practitioners and CISOs the implication is stark; identity is now the primary breach vector, and the organizations that win will be those that can see phishing campaigns forming before they hit inboxes, and disrupt them before accounts are taken over.

This is where external threat intelligence, and specifically real-time visibility into the cybercrime ecosystem, becomes operationally decisive.

Keep reading for the highlights, and read the full report, The Phishing Kits Economy in Cybercrime Markets, here.

Why Phishing Kits Matter (Beyond “Phishing Is Bad”)

Most security leaders already know phishing is common. What’s changed is reliability and scale.

Our findings show:

• Phishing kits are abundant, not scarce
• MFA bypass is now a standard feature, not an advanced option
• Low-skill attackers can run high-impact campaigns using turnkey tooling
• Hybrid kits evolve faster than signature-based detection can keep up

This fundamentally breaks several long-standing assumptions used in board reporting:

• “We have MFA, so credential theft risk is reduced.”
• “User awareness training significantly lowers phishing risk.”
• “We’ll see indicators on the dark web after a breach.”

In reality, the cybercrime market now functions like a SaaS ecosystem, where successful techniques are quickly packaged, sold, iterated, and redeployed globally.

What the Underground Economy Actually Looks Like

A Phishing Kits Boom Driven by PhaaS

Over 54% of all analyzed content focused on phishing kits or PhaaS platforms. More importantly, 36% of all posts were classified as high-confidence real threats, with concrete operational details such as pricing, screenshots, infrastructure descriptions, and live campaigns.

This is not noise. This is a functioning market.

Platforms like EvilProxy, Tycoon2FA, and emerging hybrids dominate discussion because they work – reliably intercepting credentials, MFA tokens, and session cookies in real time.

Takeaway: attackers don’t need innovation. They rent it.

Deep Web Forums and Telegram are the Early-Warning Layer

The majority of activity originates from:

• Closed deep-web forums (58.8%)
• Telegram channels and groups (14.1%)

Tor-based dark web markets exist, but they are not where most phishing innovation appears first. Instead, new kits, updates, and campaign coordination surface in semi-closed ecosystems long before victims see emails.

This is where threat exposure management comes in to continuously monitor these environments, correlating actors, tools, campaigns, and brand mentions. This provides early indicators that SOCs and email gateways simply cannot see.

Attackers Target Money First, Identity Second

Target analysis reveals a rational, profit-driven ecosystem:

Single-target campaigns

• Crypto: 54%
• Microsoft (O365 / enterprise identity): 21%

Multi-target “combo kits”

• Banking: 82%
• Amazon: 76%
• PayPal: 75%

Identity providers (Microsoft, Google, Apple) appear most often as enablers, not end goals, which are used to reset passwords, bypass recovery flows, and persist access.

Takeaway: Your brand being impersonated is less important than your employees’ identity being abused to access finance, SaaS, and cloud platforms.

Why Traditional Defenses Are Failing

1. MFA is no longer a stopping point.

Modern phishing kits don’t steal passwords, they proxy sessions, replay tokens, and bypass OTP-based MFA entirely. In cybercrime discussions, MFA is treated as a design constraint, not a blocker.

2. Browser-in-the-Browser breaks user intuition.

BitB techniques convincingly spoof full browser windows, including address bars. Telling users to “check the URL” is now ineffective against pixel-perfect deception.

3. Hybrid kits evade static detection

The Tycoon2FA–Salty2FA hybrid illustrates how attackers merge infrastructures to defeat kit-specific signatures. Detection rules tuned to one lineage silently fail as tooling evolves.

Takeaway: If your phishing detection relies on known URLs, static IoCs, or kit fingerprints, your visibility gap is growing, not shrinking.

What Your Security Team Can Do Now

• Assume MFA can be bypassed: Prioritize phishing-resistant MFA for admins, finance, IT, and developers.
• Instrument identity behavior, not just endpoints: Correlate IdP logs, token usage, device posture, and session anomalies.
• Treat session theft as a breach precursor: Include session revocation, OAuth audits, and mailbox rule hunting in IR playbooks.
• Use external intelligence as a control input: Platforms like Flare provide signals you cannot generate internally, enabling proactive defense.
• Modernize security awareness: Train users on AiTM, BitB, QR-based phishing, and fake MFA prompts – not just suspicious emails.

How You Can Change the Game with Flare

Keep reading to learn about the ways you can mitigate risks for your organization with Flare:

1. Are you a target? Do you know if someone is selling or buying a phishing kit that targets your organization?

Flare monitors:

• Open-source tools
• Deep web
• Dark web
• Instant messaging platforms
• Many other sites and channels

Flare detects:

• Brand impersonation chatter before mass distribution
• Actor collaboration about specific companies
• Campaign planning discussions

2. Are you fully updated about the threat landscape? With Flare, you’re not just reporting phishing. You’re continuously mapping the phishing economy.

Flare detects:

• New phishing kits and feature updates
• Campaign planning discussions
• Actor collaboration and kit purchases
• Brand impersonation chatter before mass distribution

3. Don’t want to be overwhelmed by noise?: Prioritized alerts give you lead time, not just alerts.

Instead of flooding teams with mentions, Flare:

• Scores authenticity and confidence
• Links actors to tools, targets, and infrastructure
• Distinguishes real threats from scams and noise

4. Do you have access to premium threat intelligence data? : Enabling your security team is a core strategic foresight for security leadership.

Flare helps security practitioners answer questions like:

• Which phishing capabilities are attackers adopting right now?
• Which brands and workflows are being targeted next?
• Are we facing mass-market fraud or targeted identity abuse?

This shifts security from reactive defense to informed risk management.

To more fully understand the phishing kits economy, read the full report, The Phishing Kits Economy in Cybercrime Markets, here.