How phishing kits fuel credential theft in healthcare

Credential theft remains one of the most common outcomes of phishing in healthcare. The UK’s National Cyber Security Centre (NCSC) explains, “Phishing is when criminals use scam emails, text messages, or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.” In healthcare settings, stolen credentials often provide direct access to email accounts, patient records, and billing systems.

Phishing is also one of the most common initial access methods in cyber incidents. The Cybersecurity and Infrastructure Security Agency (CISA) states, “More than 90% of successful cyber-attacks start with a phishing email.” Paubox’s report on the top 3 healthcare email attacks in 2025 found that phishing-driven mailbox takeovers were the most damaging attack type by impact last year, exposing more than 630,000 individuals.

Many of these attacks are not built from scratch. Campaigns targeting healthcare rely on prepackaged phishing kits. IBM describes phishing kits as a “collection of tools, resources, and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign.” In other words, attackers can reuse the same infrastructure repeatedly, lowering the technical skill required to launch large numbers of attacks.

Paubox’s Healthcare IT is dangerously overconfident about email security report describes this shift as “deception at scale,” where automation and AI are used to mimic the tone and urgency of legitimate professional communication. Security researchers have also observed the increase of “combo kits,” which imitate multiple brands at once and are used in broad credential theft campaigns across sectors, including healthcare.

The widespread availability of phishing kits reduces the effort required to run repeated campaigns, making credential theft easier to scale and harder to contain once attackers gain access. Containment is already a challenge in healthcare; Paubox’s report What small healthcare practices get wrong about HIPAA and email security notes that it takes an average of 10 months to detect and contain a healthcare breach.

Phishing dynamics in healthcare operations

Phishing attacks exploit the fact that healthcare organizations rely heavily on email communication for patient care coordination, access management, and internal workflows. Peer-reviewed literature from an internal study of phishing in a healthcare setting noted that hospitals receive a high volume of potentially malicious messages and that staff awareness varies across roles.

The research observed that “healthcare organisations are increasingly moving to electronic patient record (EPR) systems and other digital systems,” and that phishing typically involves messages that encourage recipients to click links or open attachments.

During a controlled phishing assessment, nearly 2%–3% of email and internet traffic to a healthcare organization was classed as suspicious, showing how frequently phishing tactics appear in normal operations.

While that simulated test did not result in credential capture, the findings proved that a meaningful share of everyday digital communication contains identifiable threats that could be exploited if defenses or staff recognition are inadequate.

Learn more: What is a phishing attack?

Human behavior and phishing risk

Phishing campaigns do not rely solely on technology; they also exploit human factors. Research examining security behavior among healthcare staff has found that workload and work pressure can influence how people respond to suspicious messages.

In one study, statistical analysis showed that perceived barriers, self-efficacy, and workload factors were correlated with phishing security behavior, meaning that staff under greater stress or nursing heavy duties could be more vulnerable when assessing a phishing message.

The findings suggest that even well-trained staff may misjudge phishing cues when facing competing priorities, a pattern security teams must consider when designing training and layered defenses.

Phishing kits and large-scale campaigns in healthcare

Real-world campaigns have shown how phishing kits fuel credential theft at scale. In September 2025, Microsoft announced that it had disrupted a growing phishing service that had targeted at least 20 U.S. health care organizations. Regulatory action allowed the seizure of 338 websites associated with a kit known as RaccoonO365, which impersonated Microsoft communications to steal login credentials.

Reporting on the disruption detailed that RaccoonO365 offered subscription-based phishing kits to enable attackers to send spoofed emails and direct recipients to fake login pages. The infrastructure had been used to harvest thousands of Microsoft 365 credentials, including staff accounts from health care organizations.

These stolen credentials were not just data; they were a gateway. Microsoft noted that “credentials stolen through RaccoonO365 enabled ransomware attacks against hospitals, posing a direct threat to patient and community safety,” proving how phishing kit-driven credential theft can have a real operational impact.

A related report explained that the RaccoonO365 operation had been active since at least July 2024, with subscription pricing and optional AI-enhanced features introduced to improve targeting and bypass security measures like multi-factor authentication.

The operation’s leader was traced to Nigeria, and investigators alleged that the kits had been used to steal thousands of credentials across sectors, including healthcare.

Read also: What is ransomware?

Phishing kits as a service economy

These incidents reflect a larger trend in cybercrime known as phishing-as-a-service (PhaaS). In this model, developers market ready-made phishing infrastructure to subscribers, who can then launch credential theft campaigns with minimal technical knowledge. Hence, lowering the cost of entry while increasing the volume and frequency of attacks.

The same Microsoft report explains that RaccoonO365 kits could be rented for as little as $12 per day, allowing subscribers to send up to 9,000 phishing emails daily using the prebuilt infrastructure.

These kits often incorporate features designed to evade basic protections such as multi-factor authentication, using techniques that intercept or harvest login sessions once users enter their credentials.

Why email remains the primary vector and what can be done

Phishing kits continue to succeed because they exploit email, the most widely used communication channel in healthcare. Appointment reminders, patient follow-ups, internal alerts, and external correspondence all move through email systems, giving attackers plenty of chances to blend into everyday traffic.

Because email sits at the center of these workflows, credential theft is often the first step in a larger attack. Once a phishing kit captures valid login details, attackers can expand access, move through connected systems, or introduce additional threats such as ransomware or data theft. In fact, Microsoft Threat Intelligence found that in healthcare environments, most observed malicious activity was related to phishing campaigns delivered via email and that “email remains one of the largest vectors for delivering malware and phishing attacks.”

As phishing kits have become more common, inbound email defenses have taken on a more central role in layered security strategies. AI-driven filtering tools can detect patterns associated with credential harvesting campaigns and stop suspicious messages before staff members interact with them.

Real-time analysis of message content, sender behavior, and embedded links allows solutions like Paubox Inbound AI to reduce exposure to convincing phishing lures. While no control removes human risk entirely, stronger inbound filtering limits how often attackers can use email as their primary delivery path.

FAQs

What are phishing kits?

Phishing kits are prepackaged toolsets that include fake login pages, hosting instructions, and data collection mechanisms that make credential theft campaigns easier to deploy.

Why do attackers use phishing kits instead of building their own?

Kits reduce setup time and allow even low-skill actors to launch high-volume credential theft campaigns, spreading risk across multiple campaigns and targets.

Are healthcare staff especially vulnerable to phishing?

Research has shown that heavy workload and work pressure can influence how staff members interact with suspicious messages, and healthcare organizations receive a large volume of potentially malicious communications.

Do phishing kits bypass two-factor authentication?

Many modern kits use real-time interception or session capture techniques to harvest credentials even when multi-factor authentication is present.

Can better inbound email protection stop phishing kit campaigns entirely?

No defense can stop every attempt, but solutions that combine AI analysis with inbound filtering greatly reduce the number of malicious communications that reach staff inboxes, limiting the exposure attackers can exploit.