A growing number of businesses are implementing multi-factor authentication to add an extra layer of security and improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized individuals from accessing accounts using compromised credentials, MFA does not provide total protection. Several phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new phishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through session hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and Microsoft 365 accounts.
The Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the Evilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the legitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an adversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies, thereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the cybercriminal to instantly access the user’s account.
The user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the user is directed to a server and is presented with what appears to be a legitimate login page. The page has valid SSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username and password are entered, they are captured and forwarded to the legitimate authentication service in real time.
The cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram, and the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted as they are entered by the user. When session cookies are generated, they are immediately hijacked and injected into the attacker’s browser, which means the attacker can impersonate the genuine user without needing their username, password, or 2FA token, since the session has already been authenticated. The kit also includes bulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before the user suspects anything untoward has happened.
Phishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so important to have effective anti-spam software, capable of identifying and blocking the initial phishing emails. SpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use, exceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution developed from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan outperformed all other tested email security solutions, achieving the highest overall score thanks to a 100% malware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The exceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing attempts, and email sandboxing to detect and block malware and zero-day threats.
In addition to an advanced spam filtering service, businesses should ensure they provide regular security awareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is an easy-to-use security awareness training platform that makes it easy to create effective training courses and automate the delivery of training content. The platform also includes a phishing simulator with an extensive library of phishing templates that makes it easy to create and automate phishing simulations, generating relevant training automatically if a user is tricked. That means training is delivered at the point when it is likely to be most effective at correcting behavior.
Give the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and SafeTitan products, like all TitanHQ solutions, are also available on a free trial.