The 1Phish phishing kit evolved from a simple credential harvester in September 2025 into a multi-stage, MFA-aware, REST-API-driven phishing application by February 2026 that captures emails, secret keys, passwords, OTPs, and recovery codes while employing browser fingerprinting, bot scoring, and JavaScript obfuscation. #1Phish #1Password
Keypoints
- 1Phish progressed across four distinct versions (V1âV4) from lightweight HTML credential pages to a structured, API-backed phishing kit with session management and internationalization.
- By V3 the kit added MFA/OTP capture and extensive browser/device fingerprinting to gate victims and enable real-time authentication attempts; V4 introduced REST APIs, recovery-code capture (1PRK format), enterprise/team targeting, and JavaScript obfuscation.
- The kit implements anti-analysis controls and bot detection (including HideClick integration and automation-property enumeration) to serve benign content to investigators and deliver phishing content to validated victims.
- Technical linkage across versionsâidentical frontend build artifacts, hashed SVG filenames, Knox UI class tokens, shared staged endpoints (/step1, /login, /submit-2fa)âindicates a common kit lineage rather than isolated pages.
- Multiple typosquatted domains were used (11 observed), most fronted by Cloudflare and registered over a narrow window, demonstrating repeatable deployment and active maintenance.
- No direct evidence of reverse-proxy session-hijacking infrastructure was observed, but explicit collection of OTPs and recovery codes is consistent with intent for real-time authentication abuse or session replay.
- 1Password and monitoring vendors are tracking and takedown efforts are ongoing; organizations are advised to monitor anomalous logins (especially from Cloudflare) and follow 1Password guidance to avoid entering credentials on lookalike domains.
MITRE Techniques
- [T1566 ] Phishing â Used email lures and typosquatted domains to direct victims to fake 1Password pages (âbreach-themed email lures claiming that the recipientâs account had been compromisedâ / âdirecting victims to typosquatted domains impersonating legitimate 1Password login pagesâ).
- [T1056 ] Input Capture â Captured credentials and authentication codes via staged web forms and API endpoints (âcollection of email, secret key, passwordâ and âSubmissions trigger a POST to /submit-2fa, including: Email 6-digit OTP codeâ).
- [T1027 ] Obfuscated Files or Information â Employed JavaScript obfuscation and encoded detection scripts to hinder analysis (âthere were three obfuscated JavaScript filesâ and âThere is an obfuscated detection script at the bottom of the page. The decoded base64 string contains a list of properties usually associated with automation toolsâ).
- [T1555 ] Credentials from Password Stores â Targeted high-value recovery codes and account-specific secrets (1Password recovery codes) to regain account access (âThe recovery form accepts codes prefixed with 1PRK, which is the format of 1Passwordâs account recovery codesâ).
- [T1497 ] Virtualization/Sandbox Evasion and Anti-Analysis â Implemented browser fingerprinting, bot scoring, HideClick cloaking, and automation property checks to evade automated analysis (âanti-automation and browser fingerprinting logicâ and âHideClick ⌠serve a harmless âwhite pageâ to investigators while delivering the actual content to verified victimsâ).
Indicators of Compromise
- [Domain ] Typosquatted 1Password lookalikes â login-1password[.]com, signin-1psswoord[.]com, and 9 more domains (total 11 observed including lon-pass-word[.]com, onepass-word[.]com, 1passwod[.]net, on-pssword[.]com, etc.).
- [API / Endpoint ] Phishing backend paths and REST API endpoints used for staged capture â /step1, /login, /submit-2fa, and API endpoints such as POST /api/session/{id}/otp, POST /api/fingerprint, POST /api/validate-access.
- [Cookie ] Validation and cloaking cookies â hideclick:ignore (HideClick evidence) and validated_user_1pass (set after validation), used to gate content or mark validated sessions.
- [JavaScript files ] Client artifacts indicating kit version/behavior â app.js, sessions-client.js, i18n.js (obfuscated in V4; drive fingerprinting, session management, and i18n support).
- [Recovery-code format ] High-value credential pattern â 1PRK-prefixed recovery codes accepted by the recovery form (1Password recovery-code format).
- [Build artifacts / UI tokens ] Shared frontend identifiers linking samples â hashed SVG asset filenames and Knox design system class tokens (examples: knox-reset, reset_base__1e6d9s10), indicating common scraped source artifacts.
Read more: https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-into-1phish/