Examining AitM Phishing Kits and Their Evasion Tactics

Keypoints

• Identity attacks, particularly AiTM phishing, are on the rise.
• The NakedPages phishing toolkit employs multiple techniques to evade detection, including the use of legitimate SaaS services and redirections.
• Cloudflare Workers serve as a reputable gateway for phishing attacks, helping attackers appear legitimate.
• Cloudflare Turnstile is used to differentiate between human users and bots, limiting automated analysis.
• Attackers require specific URL parameters and custom headers to access malicious content, complicating simple scans.
• JavaScript execution is necessary to reveal phishing pages, making static analysis less effective.
• Redirecting to legitimate domains and masking the HTTP referer help hide malicious activity and enable URL rotation with balanced domains.
• The kit adapts its behavior based on whether a personal or organizational account is used, showing targeted B2B tactics.
• Detection is more effective when focusing on user behavior (e.g., credential entry) rather than relying solely on technical indicators.