Phishing: The Biggest Cyber Threat Businesses Still Face 

Phishing remains one of the most persistent and damaging cyber threats facing organisations today. Despite years of investment in email security, user awareness training, and authentication controls, phishing continues to be the primary entry point for ransomware, business email compromise and large scale data breaches, with 83% of attacks originating from a phishing campaign, according to the UK government’s Cyber Threats Survey.

So what’s changed in the sophistication behind these attacks? Phishing is no longer limited to just generic emails with bad grammar and fake login pages. Attackers are now combining artificial intelligence (AI), advanced phishing kits, and multi-factor authentication (MFA) bypass techniques to steal credentials at scale while remaining largely invisible to traditional security controls.

Recent research into new phishing kits such as BlackForce, GhostFrame, InboxPrime AI and Spiderman highlights a clear shift towards industrialised, highly evasive phishing operations that are purpose-built to defeat modern defences.

In this blog, we’ll be diving into the latest phishing trends to explore what the most common threat is around this attack vector and what measures you can implement to combat this threat effectively.

Key Takeaways

• Phishing remains the top cyber threat for businesses, with attackers now using AI tools to craft convincing, scalable, and highly targeted attacks.
• Modern phishing attacks actively bypass MFA using Man-in-the-Browser techniques and real-time interception
• AI-powered phishing attacks are harder to detect — they use social engineering, real-time data, and polymorphic tactics to bypass traditional filters and deceive employees.
• Human error is still the weakest link, even in organisations with strong technical defences — urgency and impersonation tactics remain highly effective.
• Protection requires AI-driven email security, regular phishing simulations, and a robust Managed SOC service for real-time threat detection and response.
• Zero Trust frameworks and multi-factor authentication (MFA) are essential to contain damage and reduce breach success rates when phishing attempts break through.

Why Phishing Remains the Biggest Cyber Threat

Low Effort, High Impact Attacks

Phishing continues to offer cybercriminals an unrivalled return on investment (ROI). Compared with exploiting software vulnerabilities or developing custom malware, phishing relies on deception rather than technical complexity.

With modern phishing kits sold as subscription services on Telegram and Signal, attackers can launch professional-grade campaigns for a few hundred pounds. These kits handle everything from email delivery to credential capture and session hijacking, dramatically lowering the barrier to entry.

Constant Evolution and Increasing Sophistication

Gone are the days of poorly written, easily recognisable phishing emails. Today’s phishing campaigns are highly tailored, often leveraging information from social media, data breaches, or corporate websites to craft convincing messages.  

Attackers use personalised details, professional branding, and urgency to trick users into clicking malicious links or providing sensitive information. 

Human Error is Unavoidable 

No matter how mature an organisation’s technical controls are, phishing ultimately targets people. Attackers exploit psychological triggers such as urgency, authority and familiarity to drive quick decisions.

Busy employees, finance teams under pressure, and IT staff responding to apparent security alerts remain prime targets. Even well-trained users can be deceived when phishing pages are visually indistinguishable from legitimate services.

The Shift From Credential Theft to Account Takeover

Historically, phishing focused on stealing usernames and passwords. Today, that is rarely enough.

Most organisations now enforce MFA, particularly for cloud services like Microsoft 365, Google Workspace and financial platforms. In response, attackers have evolved phishing kits that capture credentials and intercept one-time passwords in real time, enabling full account takeover within minutes.

Emergence of AI-Driven Phishing Tools 

The development of malicious AI-driven tools such as WormGPT and FraudGPT has significantly increased the effectiveness of phishing attacks.  

These AI models generate highly convincing phishing emails, automate social engineering tactics, and even assist in writing malware – all without the need for advanced technical expertise. 

The Rise of AI-Powered and MFA-Bypassing Phishing Attacks

The emergence of AI-driven tools like WormGPT and FraudGPT has amplified the risk that phishing poses to business.  

These malicious large language models (LLMs) are designed to assist cybercriminals in crafting convincing phishing emails, developing malware, and executing various cyberattacks. 

WormGPT: AI in the Hands of Cybercriminals 

Discovered in mid-2023, WormGPT is an AI model based on GPT-J. But unlike legitimate AI models with ethical safeguards, WormGPT lacks such constraints, enabling users to generate malicious content freely.  

It is explicitly designed for malicious purposes, providing cybercriminals with an easy way to craft convincing phishing emails, business email compromise (BEC) scams, and other fraudulent activities. 

It’s marketed on underground forums, offering capabilities such as creating persuasive phishing emails and writing malware code. For instance, it can draft emails impersonating company executives to deceive employees into transferring funds or sharing sensitive information. 

• How WormGPT Works: Attackers input a few details, and the AI generates grammatically flawless, persuasive emails designed to deceive employees into revealing sensitive information or transferring funds 
• Why It’s Dangerous: Unlike traditional phishing kits, which require manual effort, WormGPT automates and refines phishing attacks, making them more scalable and effective 

FraudGPT: The Next Evolution of AI-Driven Cybercrime 

Shortly after WormGPT emerged, another AI-powered tool, FraudGPT, hit the dark web.  

Marketed as an even more powerful tool for cybercriminals, FraudGPT is sold on underground forums and encrypted messaging platforms like Telegram, with subscriptions ranging from $200 per month to $1,700 per year. 

• What FraudGPT Does: It assists attackers in writing phishing emails, generating malware, and identifying vulnerabilities in business networks 
• Scale of the Threat: The creator of FraudGPT claims it has been used in thousands of attacks, highlighting the demand for AI-assisted cybercrime 

Both WormGPT and FraudGPT drastically lower the barrier to entry for cybercriminals, allowing even those with minimal technical skills to conduct highly sophisticated AI-powered phishing attacks. This development underscores the need for businesses to enhance their cybersecurity measures. 

BlackForce: MFA Bypass at Scale

First observed in August 2025, BlackForce represents a significant leap in phishing capability. Sold on Telegram for a few hundred euros, the kit is designed to steal credentials and bypass MFA using Man-in-the-Browser techniques.

BlackForce has been used to impersonate more than 11 well-known brands including Netflix, DHL, UPS and Disney. It employs multiple evasion techniques, including blocklists that prevent security vendors, scanners and crawlers from accessing the phishing pages.

A typical BlackForce attack works as follows:

• The victim clicks a phishing link and is redirected to a convincing fake login page
• Server-side checks filter out bots and security tools
• Credentials are captured and transmitted in real time to a command-and-control panel via Telegram
• When MFA is triggered, the victim is presented with a fake MFA prompt
• The one-time password is intercepted and used immediately by the attacker
• The victim is redirected to the legitimate website, masking the compromise

By using dynamic JavaScript files with cache-busting hashes, BlackForce ensures victims always receive the latest malicious code while avoiding detection by static analysis tools.

GhostFrame: Stealth Phishing at Massive Scale

GhostFrame is another emerging phishing kit that has already been linked to more than one million stealth phishing attacks since September 2025.

At first glance, GhostFrame pages appear harmless. The visible content is often a simple HTML page, while the real phishing content is hidden inside an embedded iframe. This architecture allows attackers to swap out phishing payloads, change targets and evade detection without altering the outer page.

Key GhostFrame capabilities include:

• Randomised subdomains on every visit to avoid blocking
• Anti-analysis and anti-debugging to defeat browser inspection tools
• Dynamic page elements that impersonate trusted brands, including titles and favicons
• Backup iframe mechanisms to ensure delivery even if scripts are blocked

GhostFrame is commonly used to target Microsoft 365 and Google accounts using lures related to invoices, contracts and password resets.

InboxPrime AI: The Industrialisation of Phishing

InboxPrime AI takes phishing automation even further by combining artificial intelligence with mass email delivery. Marketed as malware-as-a-service for around $1,000, it provides attackers with a platform that closely resembles legitimate email marketing software.

InboxPrime AI is designed to mimic human emailing behaviour and even leverages Gmail’s web interface to bypass traditional email filtering.

Core features include:

• AI-generated phishing emails with realistic tone, structure and subject lines
• Campaign automation with industry, language and theme targeting
• Spintax support to ensure every email is unique
• Real-time spam diagnostics with suggested improvements
• Sender identity spoofing and display name randomisation

This level of automation enables attackers to run large-scale phishing campaigns with professional polish, without needing copywriting or technical expertise.

Spiderman: Targeting European Banks and Financial Services

Spiderman is a full-stack phishing framework focused on European financial institutions and government portals. It includes pixel-perfect replicas of login pages for banks and payment platforms such as Deutsche Bank, ING, Klarna, PayPal and Commerzbank.

Unlike traditional kits, Spiderman is marketed via Signal rather than Telegram, with a strong focus on Germany, Austria, Switzerland and Belgium.

Its capabilities include:

• Geofencing and ISP allowlisting to restrict access to intended victims
• Device filtering to evade automated analysis
• OTP and PhotoTAN interception
• Cryptocurrency wallet seed phrase theft
• Multi-step workflows that maintain session continuity

This approach is particularly effective against European banking controls, where MFA and transaction verification are standard.

Polymorphic Phishing Attacks

GenAI tools have provided hackers with a new era of customisation capabilities to increase the success of their attacks. This vector can see cybercriminals use references to publicly available data such as recent purchases, professional networks or interests, which hugely increases the likelihood of a successful breach.

Polymorphic phishing attacks utilise dynamic changes to aspects such as the subject line, sender, malicious links and even the content of the email, to evade static signature based email filters. This is a significant shift, with AI developing sophisticated malware and more complex multipurpose attacks.

Hybrid Phishing Kits and Detection Evasion

Attackers are now actively blending multiple phishing kits into single campaigns. Recent research has identified hybrid Salty-Tycoon attacks that combine techniques from Salty 2FA and Tycoon 2FA.

This blending weakens detection rules, complicates attribution and allows attackers to switch payloads dynamically if part of the infrastructure is disrupted. It marks a clear move away from single-kit campaigns towards modular phishing operations.

How Businesses Can Protect Themselves Against AI-Driven Phishing Attacks

Move Beyond Traditional Email Security

Signature-based email filters are no longer sufficient. Modern phishing attacks use unique content, dynamic infrastructure and real-time interaction to evade detection.

Organisations should adopt advanced email security platforms that use behavioural analysis, machine learning and link inspection to identify threats before they reach inboxes.

Implement AI-Powered Security Solutions

As cybercriminals adopt AI-driven tools, businesses must counteract with AI-powered cybersecurity defences.  

Advanced email security solutions that use machine learning to detect suspicious patterns can help identify and block phishing attempts before they reach employees’ inboxes. 

But the ultimate protection is a Managed SOC Service, which, armed with highly qualified security professionals and advanced security tooling, can detect and respond to the inevitable – when a malicious attack breaches networks or systems.  

Strengthen Security Awareness Training

Security awareness training must evolve alongside phishing tactics. Regular simulations, realistic attack scenarios and targeted training for high-risk roles such as finance and IT are essential.

Awareness alone isn’t enough, but it remains a critical layer in reducing successful attacks.

Deploy Phishing-Resistant MFA

Not all MFA is equal. SMS-based and app-based one-time passwords can be intercepted by Man-in-the-Browser attacks.

Phishing-resistant MFA methods such as FIDO2 security keys and certificate-based authentication significantly reduce the risk of account takeover.

Adopt Zero-Trust Security Principles 

A Zero Trust approach ensures that no user, device or session is implicitly trusted. Continuous verification, least-privilege access and segmentation help contain the impact of compromised accounts.

Even when phishing succeeds, Zero Trust limits lateral movement and data exposure.

Monitor the Dark Web for Emerging Threats 

Threat intelligence services that track dark web activity can provide early warnings about new cybercriminal tools like WormGPT and FraudGPT, allowing businesses to prepare accordingly. 

Phishing is not going away. In fact, it’s becoming more dangerous. The rise of AI-driven cybercrime tools like WormGPT and FraudGPT has made phishing attacks more convincing, scalable, and accessible to criminals.  

Businesses must stay ahead of these evolving threats by adopting AI-powered security measures, enhancing employee training, and reinforcing authentication protocols.

By staying vigilant and proactive, organisations can significantly reduce their risk and protect their assets from sophisticated phishing attacks. 

If your organisation needs expert cybersecurity support to defend against phishing and other cyber threats, DigitalXRAID’s team of security specialists is here to help. Get in touch today to learn more about our advanced cybersecurity solutions. 

Phishing Is Evolving Faster Than Ever

Phishing isn’t going away any time soon. It’s becoming more automated, more evasive and more effective.

The rise of AI-powered phishing platforms and MFA-bypassing kits like BlackForce, GhostFrame, InboxPrime AI and Spiderman demonstrates that attackers are professionalising their operations at pace. Businesses must respond with layered, intelligence-driven defences that assume phishing attempts will succeed and focus on rapid detection and containment.

If your organisation needs expert support to defend against phishing and modern social engineering attacks, DigitalXRAID’s security specialists can help. Get in touch to learn how our Managed SOC, phishing defence and cyber security services protect organisations in the UK and beyond.