Threat Intelligence

The Phishing Landscape Is Not What You Think

The Phishing Landscape Is Not What You Think

We track active phishing campaigns in the Thrive Adversary Operations Group (AOG) all day, every day. And here is what we keep seeing. Defenders still think phishing means fake login pages asking for passwords. That is no longer the threat. 

The last 30 days produced more token theft infrastructure, more PhaaS platforms, and more innovative delivery mechanisms than any single month I can remember. And almost none of it relies on stealing a password. 

Device Code Phishing Became a Commodity 

In March 2026, device code phishing was a niche technique associated with Russian espionage campaigns. Six months later, Push Security tracks 18 distinct kits in the wild and a 37x spike in detections. 

The latest entry is ARToken, a PhaaS panel that Cisco Talos documented on July 1. It exposes 80 API endpoints for device code phishing, primary refresh token (PRT) persistence, inbox rule manipulation, and SharePoint exfiltration, all through a React dashboard. The phishing page runs a seven-layer anti-analysis system that screens for headless browsers and automation tools before it even shows the victim a device code. 

ARToken is an affiliate of EvilTokens, the platform Sekoia and Microsoft tracked earlier this year. EvilTokens affiliates launch 10 to 15 distinct campaigns every 24 hours. Each targets hundreds of organizations. The lures are AI-generated and personalized to the victim. 

The device code flow is a legitimate Microsoft protocol. The victim enters a code at microsoft.com/devicelogin. They never see a fake page. They never enter a password. They approve the login on the attacker’s behalf and walk away thinking nothing happened. 

The attacker walks away with a refresh token that survives password resets. 

Kali365 is doing the same thing for $250 per month. The FBI issued a PSA on May 21. The campaign uses EFT payment lures addressed to named accounts-payable staff at specific companies. A second variant uses “urgent proposal review” subjects. Same technical chain, same token capture, different lure. 

This is not a tool problem anymore. This is a protocol problem. 

The Event Honeypot: FIFA World Cup 2026 

Every major event generates phishing. The FIFA World Cup 2026 generated an unprecedented wave. 

KnowBe4 tracked a 22-fold increase in World Cup-themed phishing from April to the tournament kick-off on June 11. By June 4, one in every 185 phishing emails carried World Cup branding. Attackers timed campaign bursts to match specific fixtures. Volume dropped to near-zero on rest days and surged on match days. 

The lures are diverse. Fake FIFA recruitment emails. Ticket-transfer frauds. Prize-based reply-back fraud. And the most effective one: a fake T-shirt giveaway documented by Cofense Intelligence. 

The emails look real because they are researched. Attackers pull the victim’s name, company name, and company logo from public sources and embed them in images of branded merchandise. The emails bypassed Cisco IronPort, Microsoft ATP, and Abnormal Security simultaneously. 

The payload is Voidrift, a malware family engineered to resist the tools security teams use for analysis. Once it lands, it hides and waits. 

The lesson here is not “block more World Cup emails.” The lesson is that attackers outpace the signal-to-noise ratio of every supply chain. They use real company logos and real employee names. Blocklisting the domains they used last week does not catch the ones they set up today. 

ClickFix and ConsentFix: Make the User Do the Work 

Two variants of the same principle are spreading through M365 tenants right now. 

ClickFix shows the victim a fake error page: a browser update prompt, an audio fix for Google Meet, or a Cloudflare verification screen. It tells them to press a sequence of keyboard shortcuts. The shortcuts paste a PowerShell command that the victim runs themselves. There is no exploit. There is no vulnerability. There is a convincing lie and muscle memory. 

Malwarebytes documented ClickFix campaigns delivering HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. All through the same infrastructure. The lures change. The payloads change. The mechanism stays the same. 

ConsentFix shifts the attack to OAuth consent flows. The victim clicks a link, sees a standard Microsoft authentication screen, and is asked to drag a localhost callback link into the browser. That drag-and-drop hands over OAuth tokens. The attacker gets session access to email and M365 services without a password and without touching MFA. 

A detailed walkthrough of ConsentFix was posted to a Russian cybercrime forum in March 2026. It included working code, infrastructure screenshots, and a video tutorial. 

The Brute Force That Keeps Working 

Not every campaign needs custom tooling. Sometimes it is just volume. 

Huntress documented an ongoing password spray campaign originating from an IPv6 range controlled by LSHIY LLC (AS32167). Between June 12 and June 26, the threat actor made 81 million login attempts against Huntress customer accounts. They compromised 78 accounts across 64 organizations. 

On June 22, 30 accounts were compromised in a single day. 

Many of those organizations had conditional access policies. The policies were not configured to cover the authentication method the attackers used. A password spray against the Azure CLI does not trigger the same signals as a browser-based login, and organizations that only monitor browser traffic missed the entire campaign. 

Huntress observed the volume of credential spray attacks increase by 155 times across their customer base in six months. 

What This Adds Up To 

In June 2026, we saw token theft commoditized through PhaaS panels, AI-driven BEC automation, event-driven phishing at unprecedented scale, social engineering that makes the victim execute the payload, and brute force at a volume that overwhelms threshold-based detection. 

The common thread: the attack surface has moved from the password to the session. 

MFA does not stop session theft. Strong passwords do not stop session theft. Awareness training that tells users to “check the URL” does not stop ConsentFix, because the URL is legitimate. 

What Actually Helps 

Block device code logins for all standard users. Microsoft allows tenant admins to disable the device code flow for specific user groups. Do it. Only enable it for users who have a genuine need. 

  • Deploy Device Bound Session Credentials (DBSC) where available. Google is rolling this out. It binds session cookies to the device hardware, so a stolen cookie cannot be replayed from another machine. 
  • Monitor for device code authentication in your logs. Every organization should have a detection rule that alerts on any device code login by a non-privileged user. These events should be rare in most environments. 
  • Move privileged accounts to FIDO2. Not SMS MFA. Not push notifications. FIDO2 resists phishing because the credential is bound to the origin. It cannot be replayed even if the user is tricked into approving a device code prompt. 
  • Invest in endpoint detection that monitors for unexpected child processes from browser or Office applications. When a user unknowingly pastes a PowerShell command from a fake error page, that is a process tree you can detect. 

The attackers are not breaking new cryptographic ground. They are exploiting design choices in protocols that prioritize convenience over security, and they are packaging those exploits into products anyone can buy. 

The question is not whether your users will be targeted. It is whether your detection surface covers the attack methods that do not involve a password. 

Sources