New AI-driven phishing kits accelerate credential theft worldwide

Cybersecurity researchers warn of increasingly sophisticated phishing tools leveraging artificial intelligence (AI) and multi-factor authentication (MFA) bypass techniques to steal login data at scale.

What happened

Cybersecurity experts have uncovered a wave of advanced phishing kits that combine artificial intelligence (AI), evasive design, and multi-factor authentication (MFA) bypass tactics to execute large-scale credential theft campaigns targeting corporate and individual accounts across major online platforms. 

According to a report published by The Hacker News, researchers have documented four new phishing toolkits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, that are actively being used in malicious campaigns. These kits facilitate credential harvesting and account takeovers by tricking victims into entering login credentials on convincingly spoofed web pages, often followed by real-time interception of MFA codes.

Going deeper 

Cybersecurity analysts note that these kits are more than simple phishing clones; they are Phishing-as-a-Service (PhaaS) platforms with modular features and automated functions that significantly lower the barrier to entry for cybercriminals. The incorporation of AI into tools like InboxPrime AI automates message crafting and personalization, making phishing campaigns more scalable and harder to detect. 

BlackForce’s browser attacks (Man-in-the-Browser) and ability to thwart multi-factor authentication (MFA) show that attackers are innovating not just in social engineering but also in technical interception, reflecting a trend where even multi-factor protections can be undermined by cleverly orchestrated phishing flows.

These kits combine advanced technical features with automated workflows to steal credentials and authentication codes in real time, often redirecting victims to legitimate websites to mask the compromise.

How the phishing kits work

• BlackForce: First detected in August 2025, this phishing kit uses MitB techniques to capture one-time passwords and bypass MFA after victims enter credentials. It impersonates over a dozen trusted brands and is sold on underground forums for a few hundred euros.
• GhostFrame: Delivers phishing content through embedded invisible iframes, allowing attackers to update malicious pages without changing what the victim sees, helping evade detection by security scanners.
• InboxPrime AI: Leverages artificial intelligence to generate highly convincing, personalized phishing emails at scale, improving the likelihood that targets engage with the malicious content while bypassing spam filters.
• Spiderman: Focuses on European banking and financial services, replicating login flows to harvest credentials, session data, and additional authentication codes needed for transaction approvals.

Once victims provide their login information and MFA codes, attackers gain full access to the accounts. Victims are typically redirected to legitimate websites’ homepages to conceal the breach.

What was said

Security researchers have stressed the sophisticated and stealthy nature of these new phishing kits. Barracuda’s Sreyas Shetty explained how GhostFrame employs an invisible iframe to load phishing pages, allowing attackers to update malicious content without altering the parent page, which “helps evade detection from automated scanners and security tools.” Analysts from Zscaler ThreatLabz indicated the power of AI-driven automation in InboxPrime AI, noting that by “leveraging AI to generate personalized phishing emails at scale,” the tool significantly increases the likelihood of deceiving victims while effectively bypassing traditional spam filters. Regarding BlackForce, researchers warned that its man-in-the-browser capabilities, combined with real-time interception of multi-factor authentication (MFA) codes “represent a worrying advancement in phishing tactics — enabling attackers to bypass multi-factor authentication protections that were once considered robust.” Together, these observations reveal how threat actors are continuously refining their methods to outpace security defenses.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

The bigger picture

The rise of AI-powered phishing kits is part of a broader trend where artificial intelligence is being harnessed to amplify cyber fraud far beyond traditional email scams. Earlier in 2025, researchers identified phishing campaigns that exploited legitimate generative AI website builders to create highly convincing spoof sites imitating official government services. This approach demonstrated how AI tools can be repurposed by threat actors to craft realistic, sophisticated attack surfaces that deceive even cautious users. By automating both the creation of fraudulent websites and the personalization of phishing messages, AI significantly lowers the barrier for cybercriminals to launch large-scale, targeted campaigns with greater success rates. This evolution reflects a shift where AI no longer simply assists attackers but fundamentally transforms the scale, complexity, and effectiveness of phishing and social engineering attacks.

Go deeper: AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

FAQS

How important is user training in defending against AI-powered phishing attacks?

Educating employees and users about recognizing phishing cues, verifying unexpected requests, and reporting suspicious messages reduces the likelihood of successful compromise.

Is multi-factor authentication still effective against these attacks?

While MFA greatly enhances security, some advanced phishing kits can intercept MFA codes in real time, reducing its effectiveness. Therefore, stronger forms of MFA and additional security layers are recommended.

What can organizations do to protect themselves from these advanced phishing attacks?

Organizations should implement phishing-resistant MFA methods (such as hardware security keys), train employees to recognize sophisticated phishing attempts, use AI-enhanced email filtering, and continuously monitor for unusual account activities.