Infrastructure Intelligence

Adversary infrastructure: phishing kits, AiTM frameworks, redirector chains, and sending abuse.

Infrastructure Intelligence Archive

11 entries

Field Analysis

Blue TeamInfrastructure IntelligenceJun 12, 202613 min read

Trusted Notification Systems Are Becoming Phishing Delivery

Scammers abusing a real Microsoft account-alert sender are part of a wider pattern: attackers are turning legitimate SaaS notification workflows into authenticated phishing infrastructure.

Kali365 Outgrows Microsoft 365: Operator Pivots to Okta, AWS, and a Russian-Language Cluster

Arctic Wolf's June 2 follow-up describes the Kali365 operator expanding well beyond Microsoft 365: Okta SSO, Xerox DocuShare, AWS-style endpoints, and a Russian-language cluster including MAX Messenger account takeover via real SMS OTPs. Proofpoint's research places the kit inside a broader cluster of AI-generated device-code lookalikes.

TrapDoor's Cross-Ecosystem Campaign Adds AI-Assistant Poisoning to Supply-Chain Tradecraft

Socket attributes a coordinated supply-chain campaign called TrapDoor to roughly thirty-four packages across npm, PyPI, and Crates.io, with ecosystem-specific execution paths and a new twist: planted .cursorrules and CLAUDE.md files designed to influence the developer's AI coding assistant.

Kali365 and the Productization of Token Theft

An FBI-flagged phishing-as-a-service kit rents Microsoft 365 token theft for $250 a month, packaging device-code and OAuth abuse into a point-and-click dashboard that defeats MFA without a fake login page.

Trusted Email Infrastructure Is Now Part of the Phishing Supply Chain

Abuse of legitimate email services such as Amazon SES shows why authentication pass results are not the same thing as sender trust.

By PhishPond Desk

Field Analysis

Red TeamInfrastructure IntelligenceMay 1, 20269 min read

Bluekit Shows Phishing Kits Are Becoming Campaign Workbenches

A newly reported kit packages templates, domain setup, anti-analysis controls, session monitoring, and AI-assisted drafting into one operator console.

SVG Phishing Payloads: How Inline Script and ForeignObject Slip Most SEGs

SVG attachments became one of 2024 and 2025's fastest-growing phishing payload formats. The reason isn't novelty - it is that SVG sits in a parsing gap most secure email gateways inherit.

Credential Harvesting Kits Adopt Device-Bound Session Replay Tactics

New phishing kits are pivoting from simple password theft to real-time token capture and replay workflows targeting modern MFA deployments.

By PhishPond Desk

Field Analysis

Red TeamInfrastructure IntelligenceApr 12, 202610 min read

The 2024–2026 AitM Phishing-as-a-Service Market: Tycoon, EvilProxy, Mamba, Greatness

Reverse-proxy phishing kits commoditized session-token theft over the last two years. The kit market now resembles SaaS, and that has implications for how defenders track operators.

By PhishPond Desk

Field Analysis

Red TeamInfrastructure IntelligenceApr 4, 202611 min read

Research Note: Brand Impersonation Infrastructure in Consumer Finance

A longitudinal study tracks how lookalike domains and cloned login flows are assembled and rotated across finance-themed phishing clusters.

Open Redirect Chains Still Enable Credential Theft at Scale

Attackers continue to abuse trusted domains with weak redirect controls to improve lure trust and reduce user suspicion.

Infrastructure Intelligence