Email phishing has come a long way from the poorly written scam messages we used to ignore. A few years ago, spotting a phishing email was simple. Misspelled words, strange sender names, and generic greetings were dead giveaways. Most spam filters caught them before they reached your inbox.
That is no longer the case. Attackers now use AI to craft emails that mimic real business communication with near-perfect accuracy. They impersonate vendors, HR departments, and executives to trick employees into clicking malicious links.
But what makes today’s email phishing truly alarming is not just the quality of the lure. Modern phishing kits can now bypass multi-factor authentication (MFA) in real time, stealing session cookies and granting attackers full access to accounts that organizations believed were protected.
How modern phishing kits are defeating traditional MFA
Traditional phishing was straightforward. An attacker created a fake login page, collected credentials, and used them to access the account. MFA was introduced to stop exactly this. Even if the password was stolen, the attacker could not get past the second authentication factor like an SMS code or push notification.
Modern phishing kits have rewritten the rules. Tools like Tycoon 2FA, EvilProxy, and Evilginx work as real-time reverse proxies. When a user clicks a phishing link and lands on the fake page, the kit sits between the user and the legitimate login portal. It forwards everything, including the MFA prompt, to the real service instantly.
The user sees a normal login experience. They enter their password, approve the MFA prompt, and believe they have signed in. But the phishing kit has already captured the authenticated session cookie. The attacker now has full access without needing the password or MFA token again.
This technique is called adversary-in-the-middle (AiTM) phishing. AiTM attacks rose 146% in 2024 according to Microsoft. These attacks are now widely available through Phishing-as-a-Service (PhaaS) platforms, making them accessible to even low-skilled threat actors.
This is why security teams are moving toward phishing resistant mfa as a critical upgrade. Unlike traditional MFA that relies on codes or push approvals, phishing-resistant MFA uses cryptographic verification tied to the legitimate domain. Even if a user lands on a proxy-controlled page, the authentication simply will not complete because the cryptographic handshake cannot be replicated by an unauthorized origin.
Solutions built around FIDO2, passkeys, and passwordless authentication platforms are leading this shift. This is especially relevant for organizations with large frontline and deskless workforces. These workers often rotate across shared devices and kiosks, rarely have corporate email addresses, and lack dedicated phones for authenticator apps. Passwordless platforms that use biometrics, NFC badges, or facial recognition give these workers secure access without the friction of traditional MFA.
Why SMS codes and push notifications fall short
SMS codes, OTPs, and push notifications were designed for a different generation of threats. They block basic credential stuffing and brute force attacks effectively. Against AiTM phishing, however, they offer little more than a false sense of security.
The problem is fundamental. SMS codes and OTPs are entered on whatever page the user sees. If that page is a phishing proxy, the code goes straight to the attacker, who relays it to the real service within milliseconds. Push notifications face the same issue. The legitimate service sends the prompt because the attacker is actively authenticating on the user’s behalf.
These methods confirm who the user is, but they do not confirm where the user is logging in. This is the gap AiTM attacks exploit. Verizon’s 2025 Data Breach Investigations Report found that roughly 60% of breaches involved a human element, with phishing as one of the most common initial vectors.
The risk multiplies in industries like manufacturing, healthcare, and retail where shift-based workers share workstations. A single compromised credential on a shared device can expose dozens of user accounts and sensitive operational data. Traditional MFA methods are already hard to implement in these environments. They become outright ineffective when AiTM kits can bypass them entirely.
What actually makes MFA phishing-resistant
Phishing-resistant MFA operates differently. Instead of transmitting a code, it relies on cryptographic verification bound to the specific website the user is visiting.
Technologies like FIDO2 and WebAuthn generate a unique key pair during registration. The private key stays on the user’s device. During login, the device signs a challenge that includes the origin domain. If the user is on a phishing proxy with a different domain, the handshake fails. There is nothing to intercept or replay.
This origin-binding is what sets phishing-resistant MFA apart. The authentication is locked to the legitimate domain at a cryptographic level. Passkeys, hardware security keys, and certificate-based authentication all work this way, removing the shared secrets and interceptable codes that attackers have learned to exploit.
Email filters alone cannot close this gap
Spam filters, DMARC enforcement, and phishing protection gateways remain absolutely critical. SPF, DKIM, and DMARC policies prevent domain spoofing and stop most fraudulent emails before users see them.
But no filter catches everything. According to the Egress Phishing Threat Trends Report, 94% of organizations fell victim to phishing attacks in 2024, and there was a 52.2% increase in attacks that bypassed secure email gateway (SEG) detection in the first quarter alone. One well-crafted email with a fresh link is all it takes to start an AiTM attack.
This is not an argument against email security. It is an argument for layering it with authentication that holds up when a phishing email slips through. Both CISA and NIST recommend phishing-resistant MFA as a baseline measure, not an optional add-on.
Practical steps to strengthen your defenses
Prioritize high-risk accounts. Admin, finance, and sensitive system access should move to FIDO2 keys or passkeys first. These accounts are targeted most and cause the greatest damage when compromised.
Audit your current MFA methods. Identify where you still rely on SMS or push-only authentication. Map these against critical applications and build a transition timeline.
Move DMARC to a reject policy. Pair it with properly configured SPF and DKIM. Fewer phishing emails reaching inboxes means fewer chances for AiTM attacks to begin.
Enforce conditional access. Device compliance checks, location restrictions, and shorter session lifetimes make stolen cookies harder to exploit.
Phase out SMS and OTP fallbacks. As long as weaker methods exist as backups, attackers will target them. Set a firm deadline to eliminate these on critical systems.
The bottom line
Email phishing has evolved past what traditional defenses were built to handle. Attackers are hijacking authenticated sessions in real time, turning standard MFA from a security barrier into a minor inconvenience they can easily work around.
The organizations that recognize this shift will be in a far stronger position. That means pairing robust email authentication with phishing-resistant MFA to close the gaps that modern phishing campaigns are built to exploit. The tools exist, the standards are mature, and the guidance is clear.