New AI-Powered Phishing Kit Bypasses Multi-Factor Authentication in Real-Time

Researchers at Proofpoint have uncovered a sophisticated phishing-as-a-service platform called "PhantomNet" that uses artificial intelligence to generate convincing login pages and bypass multi-factor authentication in real-time through advanced adversary-in-the-middle (AiTM) techniques.

PhantomNet, which has been available on underground forums since January 2026, can automatically clone any website's login page and intercept both credentials and MFA tokens as victims enter them. The platform uses a large language model to customize phishing emails based on publicly available information about targets.

The service costs $500 per month and includes features such as automatic target profiling using OSINT, real-time session hijacking, and built-in evasion of common email security gateways. Researchers estimate that over 200 threat actors are currently using the platform.

In testing, PhantomNet successfully bypassed MFA implementations from Microsoft, Google, Okta, and Duo Security. The only authentication methods that proved resistant were hardware FIDO2 security keys, which cannot be phished through proxy-based attacks.

Organizations are urged to transition to phishing-resistant authentication methods such as FIDO2/WebAuthn security keys and to implement client certificate-based authentication for high-value accounts. Conditional access policies based on device compliance can also help mitigate these attacks.