Phishing attack types: from bulk email to MFA-bypass kits
Phishing has evolved from typo-ridden emails to AI-cloned voices and Adversary-in-the-Middle proxies — defenders must keep up with each variant.
Phishing remains the dominant initial access vector, present in over 30 percent of breaches per the Verizon DBIR. Modern phishing splits into several distinct techniques. Mass-email phishing still works at scale through compromised SMTP relays. Spear phishing targets named individuals using LinkedIn-sourced context. Whaling targets executives. Smishing uses SMS. Vishing uses voice — increasingly with cloned voices generated from publicly available recordings.
The most dangerous variant in 2026 is Adversary-in-the-Middle (AiTM) phishing using kits like Evilginx, EvilProxy, and Tycoon 2FA. The user lands on a real-looking login page that is in fact a reverse proxy in front of the legitimate Microsoft 365 or Google Workspace login. Credentials and the session cookie are captured after the user passes MFA, defeating SMS, push, and TOTP factors. Once attackers possess the cookie they bypass MFA entirely. Numerous Azerbaijani financial institutions have observed AiTM kits targeting their employees.
Mitigation begins with phishing-resistant MFA — FIDO2 security keys (YubiKey, Titan), platform passkeys, or Windows Hello for Business. The cryptographic challenge is bound to the legitimate domain, so a proxy on a look-alike URL cannot relay it. Enforce conditional access requiring compliant device + phishing-resistant factor for any high-value app. For Microsoft 365, set the Authentication Strength policy to require FIDO2 for all global admins immediately, then expand.
Detection complements prevention. Tune your email gateway — Microsoft Defender for O365, Proofpoint, Mimecast — to quarantine messages from newly registered domains and to rewrite URLs through a sandbox. Monitor for impossible travel and anomalous OAuth consent grants in Azure AD sign-in logs. Run quarterly simulated phishing through GoPhish or KnowBe4 with realistic templates, including AiTM scenarios. Train users to verify any out-of-process payment instruction by callback to a known number, not a number provided in the email.
Related reading
Ransomware incident response playbook
When ransomware hits at 03:00, you do not have time to think — you execute. Here is a tight playbook calibrated for the modern double-extortion era.
Defending against supply chain attacks
From SolarWinds to xz-utils, supply chain compromise is now a top-tier risk — here is how to harden your software bill of materials and vendors.
Zero-day vulnerabilities: how to manage what you cannot patch
A zero-day has no patch — yet defenders are not helpless. Layered controls, virtual patching, and threat intel reduce the blast radius until a fix arrives.