Gmail, Yahoo targeted by a new two-factor authentication phishing kit

SlashNext Threat Researchers discovered a new phishing kit on cybercrime networks. The kit is called Astaroth, and it bypasses two-factor authentication (2FA) via session hacking and real-time interception of credentials.

The kit deploys a evilginx-style reverse proxy to seize and exploit traffic between targets and legitimate authentication services (such as Gmail, Yahoo and Microsoft) and acts as a man-in-the-middle to capture tokens, credentials, and session cookies. Since Astaroth can intercept authentication data in real-time, many traditional phishing defense measures are ineffective. 

Security leaders weigh in 

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck:

This phishing kit shows an alarming amount of sophistication. All the usual defenses and things to look out for that we train users on, are harder to spot with this attack. Having the infrastructure running on providers who don’t cooperate with law enforcement will make it more difficult to take down these malicious actors. Recently, the United States and European countries placed sanctions on countries harboring these bullet-proof hosting providers. Users should be extra cautious when receiving an email purporting to be from an organization they know and demanding an immediate action. If such an email is received, users should visit the website directly and not click the link to see if there are any alerts or problems with their account.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

Astaroth highlights how cybercriminals are continuously evolving their tactics, transforming phishing into a profitable industry where sophisticated attacks are sold like commercial software — complete with updates, customer support and even testing guarantees. By leveraging real-time credential interception and reverse proxies to hijack authenticated sessions, attackers can bypass even the strongest phishing defenses — including Multi-Factor Authentication (MFA). The availability of kits like Astaroth lowers the barrier to entry for cybercriminals, empowering less-experienced cybercriminals to execute highly effective attacks. 

To combat these growing threats, organizations must implement a robust, multi-layered security strategy that includes password managers, endpoint security controls, real-time threat monitoring and ongoing employee training. Privileged Access Management (PAM) is also critical, as it restricts attackers’ access to critical systems — even when login credentials are compromised. Without these proactive defenses, businesses remain vulnerable to increasingly sophisticated phishing tactics that easily bypass traditional security measures.

Nico Chiaraviglio, Chief Scientist at Zimperium:

The discovery of this phishing kit highlights a growing trend of increasing sophistication in attack techniques, while simultaneously lowering the barrier to entry. By offering phishing kits as a service, even unskilled attackers can leverage advanced methods at a modest cost.

Jason Soroko, Senior Fellow at Sectigo:

MFA attacks have shifted from static credential phishing to real-time session hijacking. Attackers now use man-in-the-middle reverse proxies to mimic legitimate sites, capturing usernames, passwords, 2FA tokens, and session cookies instantly. This method hijacks authenticated sessions before security can react, rendering 2FA ineffective. MFA that has shared secrets that can be harvested, will be harvested. Not all MFA are created equal.

Unlike older tools that only grab static credentials, Astaroth intercepts every authentication step, including 2FA tokens, via an evilginx-style proxy. Its dynamic capture of the victim’s session, continuous updates and accessible pricing mark a significant escalation in MFA bypass tactics.