Source: Criminal IP — "Analyzing Phishing Infrastructure and Attack Patterns Using Daily Malicious Phishing Data" (27 April 2026). Criminal IP is a threat intelligence platform; not a competitor of Artificer Cyber.
Threat intelligence firm Criminal IP recently published an analysis of their publicly available Daily-Mal-Phishing dataset — a daily-updated collection of malicious URLs spanning September 2024 to April 2026, covering over 52,000 phishing URLs across 91 countries. The dataset is narrow by design (it is a free sample, not their full feed), but the structural patterns it exposes are consistent with what the broader security research community has documented across the same period.
The short version: phishing infrastructure has professionalised. The days of a single dodgy domain hosted on a compromised server are largely behind us. What has replaced them is a supply-chain model built on legitimate cloud platforms, rotating domain pools, and increasingly, off-the-shelf attack kits that lower the bar to near zero for any would-be attacker.
The infrastructure model has changed
The Criminal IP data identified that a significant share of phishing pages — in the thousands across their sample — were hosted on platforms including Vercel, GitHub Pages, Blogger, Wix Studio, and Framer. These are not obscure services. They are mainstream development and publishing platforms used daily by legitimate businesses. They come with HTTPS by default, serve content over global CDNs, and carry inherent trust signals that make basic URL-based detection unreliable.
This is worth sitting with for a moment. A phishing page hosted on pages.dev or github.io has a valid TLS certificate, loads fast, and arrives from an IP range that belongs to a reputable provider. Reputation-based email and web filters that lean on domain age, hosting ASN, or certificate status are flying blind against this approach.
The domain generation picture tells the same story. The dataset found .com still dominant, but TLDs like .bond, .app, .dev, and .click appearing in high volume — cost-effective, fast to register, and easy to cycle. Attackers are not building brands. They are spinning up disposable infrastructure at scale, using each domain for a short campaign window before rotating to the next.
Geographically, US-hosted infrastructure accounted for the bulk of observed phishing URLs — but that reflects where the cloud is, not where the attackers are. When most of the world's CDN, SaaS hosting, and static deployment platforms are US-based, that is simply where the attack surface lives. The relevant takeaway is not attribution; it is that the infrastructure blends seamlessly into legitimate traffic patterns.
Phishing-as-a-Service: what the kits actually do
The Criminal IP findings describe the infrastructure layer. The delivery and credential-theft layer is where things have moved even further. Across 2024 and into 2025, research from Barracuda, Sekoia, and Okta's threat intelligence team documented explosive growth in Phishing-as-a-Service (PhaaS) kits — subscription-based criminal platforms that provide everything an attacker needs to run an advanced campaign without writing a line of code.
Platforms like Tycoon 2FA, EvilProxy, Sneaky 2FA, and Mamba 2FA operate on an adversary-in-the-middle (AiTM) architecture. Rather than capturing credentials on a fake login page and replaying them later, they proxy the victim's authentication session in real time. The victim enters their password and their MFA code; the kit forwards both to the legitimate service and captures the resulting session cookie. The attacker ends up with a live authenticated session — bypassing MFA entirely, because the MFA event already happened.
This is not a niche technique. Barracuda observed over a million PhaaS-powered attacks in just the first two months of 2025. Tycoon 2FA alone accounted for close to 90% of those incidents in January 2025. The kits are polished products with anti-bot detection, geofencing, bot and crawler filtering, and ready-made templates for Microsoft 365, Google Workspace, and a range of enterprise SaaS platforms. A subscriber gets a point-and-click campaign interface. The technical complexity has been fully abstracted away.
For defenders, this matters because the mental model of phishing as "someone clicks a bad link and types their password into a fake page" is now incomplete. The attacker does not need to store the password. They need the session. And they get it before the victim has finished the login flow.
What the Australian picture looks like
ASD's ACSC Annual Cyber Threat Report 2024–25 recorded over 84,700 cybercrime reports in the financial year — roughly one every six minutes. The ACSC also noted the growing role of information-stealer malware distributed via phishing campaigns, used to harvest credentials and session material for follow-on access. Businesses reported an average cybercrime loss of $80,850, with large organisations experiencing a 219% increase in losses year-on-year.
The ACSC report specifically flags the role of AI in scaling phishing activity — better lure quality, more convincing impersonation, more targeted delivery. That acceleration maps directly onto what the Criminal IP and PhaaS research documents at the infrastructure level: commoditised attack capability married to AI-assisted content generation. The two trends compound each other.
Australia is not specifically called out in the Criminal IP geographic data, but the attack model does not require a local presence. The infrastructure is global, the PhaaS kits are subscription-based and jurisdiction-agnostic, and Australian organisations running Microsoft 365 and Google Workspace — the primary targets of the major AiTM kits — are fully within scope.
What organisations actually need to implement
The standard list of phishing mitigations is well-known. The problem is that most organisations have implemented some of it, not all of it, and the gaps are exactly where current attack techniques concentrate.
Email authentication — SPF, DKIM, and DMARC
- SPF (Sender Policy Framework) publishes a DNS record specifying which mail servers are authorised to send email for your domain. It does not stop spoofing on its own, but it is the foundation everything else builds on.
- DKIM (DomainKeys Identified Mail) cryptographically signs outbound messages. A recipient mail server can verify that the message was not tampered with in transit and originated from an authorised source.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do with mail that fails both checks — quarantine it or reject it outright. A policy of
p=none(monitor only) provides no protection. The goal isp=reject.
All three need to be in place and correctly configured. DMARC at reject is the only posture that prevents spoofed email from reaching inboxes at scale. ASD's Essential Eight does not mandate a specific email authentication stack, but the Maturity Model's expectations around patch management, application control, and MFA all assume a baseline of perimeter hygiene that DMARC enforcement is part of in practice.
MFA — and the right kind of MFA
Standard TOTP codes (the six-digit rotating codes from an authenticator app) and SMS OTPs are now reliably bypassed by AiTM kits. The attacker's proxy forwards the victim's code to the real service in real time. Push notification MFA (approve/deny prompts) is slightly better but susceptible to fatigue attacks.
The only class of MFA that defeats AiTM phishing is phishing-resistant MFA: FIDO2 security keys or passkeys that bind authentication to the specific origin (domain) of the legitimate site. When a victim is on a phishing proxy, the authentication will fail because the origin does not match — the key cannot be used to sign in to the attacker's lookalike site. This is what the Essential Eight Maturity Level 3 requirement for phishing-resistant MFA refers to.
Session and token controls
Because modern phishing ends in session theft rather than password theft, organisations need controls that address the session layer:
- Conditional Access policies that bind sessions to compliant, managed devices (available in Microsoft Entra ID and Google BeyondCorp) make a stolen token substantially less useful — it will not authenticate from an unmanaged attacker device.
- Short session lifetimes and continuous access evaluation (CAE) allow sessions to be revoked near-instantaneously when risk signals change, rather than waiting for a token to expire.
- Sign-in risk policies that flag anomalous locations, impossible travel, or token replay attempts can trigger step-up authentication or session termination before the attacker establishes persistence.
URL and attachment handling
Given the volume of phishing now delivered through legitimate platforms — GitHub Pages, Vercel, Google Docs redirect chains — URL filtering based on domain reputation is increasingly ineffective. Useful controls include:
- Safe Links or equivalent URL rewriting that detonates links at click-time in a sandbox, rather than at delivery time when the page may not yet be malicious.
- Blocking or sandboxing HTML attachments, SVG files, and QR code images, all of which have been used to deliver AiTM phishing pages while evading inline email scanning.
- Disabling auto-rendering of external content in email clients.
Organisational controls
- Security awareness training that reflects current techniques — including the fact that a page can have a valid HTTPS certificate, load from a trusted CDN, and still be a phishing site. Verizon's 2025 DBIR measured the median time-to-click on a phishing email at 21 seconds. Training does not stop fast clicks; it raises the reporting rate and reduces the dwell time after a successful compromise.
- A documented incident response process for suspected account compromise, including immediate session revocation across all active tokens, not just password reset.
- Reporting to ASD's ACSC via ReportCyber or the Australian Cyber Security Hotline (1300 CYBER1) when a phishing campaign is identified targeting your organisation or sector.
Closing the gap in practice
The gap most Australian organisations have is not awareness — it is implementation depth. SPF exists but DMARC is at p=none. MFA is deployed but it is TOTP or push, not FIDO2. Conditional Access is licensed but the policies do not enforce device compliance. Each of those gaps is the gap the current generation of PhaaS kits is designed to exploit.
If your organisation wants a clear-eyed view of where you actually sit against these controls — not a questionnaire, but a technical assessment — that is work Artificer Cyber does regularly. Reach out to start the conversation.
Threat actors don't pause while you find a firm.
Artificer Cyber maintains active readiness across DFIR, legal privilege, and threat intelligence. When something happens, we're already briefed — and we can be engaged within the hour.