Phishing remains the most prevalent initial access vector for cyberattacks, with the Anti-Phishing Working Group (APWG) recording over 4.7 million phishing attacks in 2024 — a figure that continues to rise year-over-year. The sophistication of phishing infrastructure has evolved far beyond simple cloned login pages: modern phishing operations leverage adversary-in-the-middle (AiTM) proxy techniques to capture MFA tokens in real-time, deploy infrastructure across legitimate cloud platforms to inherit their domain reputation, and utilize AI-generated content to scale convincing lures across languages and brands. This report provides a technical analysis of contemporary phishing infrastructure — from domain registration patterns and certificate abuse through hosting architecture and takedown processes — equipping security teams with the intelligence needed to detect, disrupt, and remediate phishing campaigns targeting their organizations.
Phishing Infrastructure Anatomy
Modern Phishing Architecture
Contemporary phishing operations are not ad hoc — they are infrastructure-intensive operations with distinct architectural components. A typical phishing campaign involves domain acquisition (registration of lookalike domains through privacy-protected registrars), SSL/TLS certificate provisioning (predominantly Let's Encrypt, providing the padlock icon that users trust), hosting infrastructure (increasingly cloud-based: Cloudflare Workers, Azure Blob Storage, AWS S3, Google Firebase), content delivery (phishing kit deployment with dynamic content loading, cloaking, and anti-analysis techniques), and credential exfiltration (Telegram bot APIs, email forwarding, or direct database collection).
The shift to cloud-hosted phishing infrastructure is particularly significant because it allows attackers to inherit the domain reputation and IP reputation of major cloud providers, making URL-based detection significantly less effective. A phishing page hosted on *.workers.dev, *.azurewebsites.net, or *.web.app benefits from the trust that security products and users place in these legitimate platforms.
Adversary-in-the-Middle (AiTM) Phishing
The most significant evolution in phishing technique over the past two years is the widespread adoption of adversary-in-the-middle phishing proxies. Platforms such as EvilProxy (Evilginx-based), Tycoon 2FA, and NakedPages operate as reverse proxies between the victim and the legitimate service, relaying authentication requests in real-time. This approach captures not only usernames and passwords but also session tokens generated after MFA completion, rendering traditional MFA (push notifications, TOTP codes, SMS) ineffective as a phishing defense.
Dark Angel's analysis of phishing campaigns targeting European enterprises in Q1 2025 found that 43% utilized AiTM proxy techniques — up from 12% in Q1 2023. This represents a fundamental shift that invalidates traditional anti-phishing defenses predicated on MFA as the primary control. Only phishing-resistant MFA (FIDO2/WebAuthn) remains effective against AiTM attacks.
Domain Generation Techniques
Homoglyph and Typosquatting Attacks
Attackers exploit visual similarity between characters to create domains that are difficult to distinguish from legitimate ones during visual inspection. Homoglyph attacks leverage Unicode characters from non-Latin scripts that appear identical to ASCII characters — for example, using Cyrillic 'а' (U+0430) in place of Latin 'a' (U+0061), or Greek 'ο' (U+03BF) for Latin 'o'. While Internationalized Domain Names (IDN) homoglyph awareness has improved in modern browsers, which may display the punycode representation (xn--...) instead of the Unicode version, many email clients and mobile applications still render Unicode domains as their visual equivalent.
Typosquatting employs more conventional techniques: character transposition (exmaple.com), character omission (examle.com), character substitution (examp1e.com), character addition (examplle.com), and TLD variation (example.co instead of example.com). Subdomain abuse creates the illusion of a legitimate domain appearing in the URL: login.example.com.attacker-domain.com.
| Technique | Example | Detection Difficulty | Detection Method |
|---|---|---|---|
| Homoglyph (Unicode) | dаrkangel.eu (Cyrillic 'а') |
High | Unicode normalization, punycode analysis |
| Typosquatting | darkagnel.eu |
Medium | Levenshtein distance, keyboard proximity |
| Combosquatting | darkangel-login.eu |
Medium | Keyword monitoring, brand name + affix patterns |
| TLD variation | darkangel.co |
Low | TLD enumeration, DNS monitoring |
| Subdomain abuse | darkangel.eu.login-verify.com |
Medium-High | Subdomain analysis, referrer monitoring |
| Cloud platform abuse | darkangel-auth.azurewebsites.net |
High | Cloud platform keyword monitoring |
Certificate Transparency Monitoring
CT Logs as an Early Warning System
Certificate Transparency (CT) logs provide a publicly auditable record of every SSL/TLS certificate issued by participating Certificate Authorities. Because phishing operators almost universally provision SSL certificates for their domains (to display the padlock icon and avoid browser warnings), CT log monitoring serves as one of the earliest detection signals for phishing infrastructure deployment — often identifying phishing domains before they are actively used in campaigns.
Dark Angel's CT monitoring processes approximately 15 million new certificate entries per day, filtering for certificates that match client brand patterns. Detection rules include exact and fuzzy brand name matching in certificate Common Names (CN) and Subject Alternative Names (SAN), Levenshtein distance calculation against monitored domains, keyword combination matching (brand + "login", "verify", "secure", "update", "account"), and wildcard certificate analysis for patterns indicating multi-target phishing operations.
"Certificate Transparency monitoring detects 67% of phishing domains an average of 8 hours before the first victim click — making it one of the most valuable proactive detection sources available."
— Dark Angel Research, Phishing Intelligence AnalysisVisual Similarity Detection
Favicon Hashing and Screenshot Comparison
Visual similarity detection provides a content-level analysis layer that complements domain-based monitoring. This approach works by comparing the visual appearance of suspected phishing pages against known legitimate pages, independent of the domain name or URL structure. Key techniques include favicon hashing (using MurmurHash or other algorithms to fingerprint favicon files — many phishing kits copy the target's favicon unchanged, creating a reliable matching signal), screenshot comparison using perceptual hashing algorithms (pHash, dHash) that are resilient to minor layout variations, DOM structure fingerprinting that compares HTML structure patterns characteristic of specific login pages, and logo detection using computer vision models trained to identify specific brand logos in page screenshots.
Dark Angel's phishing detection engine combines these techniques with machine learning classifiers that assess the overall probability that a given page is a phishing attempt targeting a monitored brand, achieving a 94.7% detection rate with a false positive rate below 0.3%.
Phishing Kits and Platforms
Phishing-as-a-Service Ecosystem
The commoditization of phishing has produced a mature Phishing-as-a-Service (PhaaS) ecosystem where sophisticated attack infrastructure is available to operators with minimal technical skill:
EvilProxy: The most prominent AiTM phishing platform, offering targeting profiles for Microsoft 365, Google Workspace, GitHub, and other major services. EvilProxy operates on a subscription model ($400 for 10 days targeting Microsoft 365) and provides a web-based admin panel, real-time credential and session token capture, and anti-detection features including CAPTCHA challenges and geographic cloaking that blocks security researchers and sandboxes.
Tycoon 2FA: A rapidly growing AiTM phishing platform first identified in August 2023. Tycoon 2FA distinguishes itself through multi-stage attack flows that first present a Cloudflare Turnstile CAPTCHA, then redirect to the phishing proxy. The platform has been observed targeting financial institutions, government agencies, and technology companies across Europe and North America.
NakedPages: An open-source-derived phishing framework offering AiTM capabilities with emphasis on evasion — including automatic IP blocking of known security vendor IP ranges, geographic targeting to restrict phishing page access to the target organization's geographic area, and just-in-time DNS resolution to limit exposure window.
Takedown Intelligence and Process
The Takedown Lifecycle
Effective phishing takedown requires coordination across multiple parties and jurisdictions. The typical takedown lifecycle involves detection and validation (confirming the page is a phishing attack and identifying the target brand), hosting provider identification (determining the registrar, DNS provider, hosting provider, and CDN through WHOIS, passive DNS, and infrastructure fingerprinting), abuse report submission (filing standardized abuse reports with hosting providers, registrars, and relevant CERTs), escalation protocols (for unresponsive providers, engaging upstream network providers, ICANN compliance, or national CERTs), and confirmation and monitoring (verifying takedown completion and monitoring for reconstitution on alternative infrastructure).
Average takedown times vary significantly by hosting provider and domain registrar. Dark Angel's operational data shows median takedown times of 4 hours for major cloud platforms (Microsoft Azure, Google Cloud, AWS), 12-24 hours for major hosting providers and registrars, 48-72 hours for smaller or offshore hosting providers, and 7+ days for bulletproof hosting providers resistant to abuse reports. The window between phishing page activation and takedown is the critical exposure period — during which every hour of delay represents additional potential victims.
Defensive Recommendations
- Deploy phishing-resistant MFA (FIDO2/WebAuthn) — Given the prevalence of AiTM phishing, traditional MFA provides insufficient protection. Prioritize FIDO2 security keys or platform authenticators for high-value accounts and critical systems.
- Implement Certificate Transparency monitoring — Deploy automated CT log monitoring for brand names, domain variations, and keyword combinations. Integrate alerts with security operations for rapid assessment and takedown initiation.
- Establish proactive domain monitoring — Register defensive domain variants, monitor new domain registrations for brand impersonation patterns, and subscribe to domain monitoring services that detect typosquatting and combosquatting in real-time.
- Deploy DMARC, SPF, and DKIM at enforcement — Implement DMARC with a p=reject policy for all organizational domains. Ensure SPF records are optimized and DKIM signing is enabled for all outbound mail systems. Monitor DMARC aggregate reports for unauthorized sending sources.
- Implement browser isolation for high-risk scenarios — Deploy remote browser isolation (RBI) for URL clicks from email, preventing credential entry on phishing pages from reaching the endpoint.
- Develop rapid takedown capability — Establish pre-authenticated relationships with major hosting providers, registrars, and cloud platforms to expedite abuse report processing. Maintain templates for standard takedown requests across jurisdictions.
- Conduct continuous phishing simulation — Run regular phishing simulations that include AiTM-style attacks, QR code phishing (quishing), and multi-channel attacks. Use results to target security awareness training at highest-risk user populations.
- Monitor for credential exposure post-phishing — Integrate phishing detection with credential monitoring services to identify when stolen credentials appear in underground markets or are used in subsequent attacks.
Methodology
This report draws on Dark Angel's continuous phishing infrastructure monitoring and takedown operations. Data sources include Certificate Transparency log analysis (processing 15M+ certificates daily across all major CT logs), passive DNS intelligence, active scanning of identified phishing infrastructure, analysis of phishing kits obtained from compromised servers, and operational data from 12,000+ takedown requests processed in 2024. Visual similarity detection accuracy metrics are based on validation against manually curated datasets of confirmed phishing and legitimate pages. AiTM phishing prevalence statistics reflect analysis of 47,000+ unique phishing URLs targeting Dark Angel clients across Q1 2025.
Protect Your Brand from Phishing
Dark Angel's Brand Protection module provides real-time phishing detection, automated takedown, and credential exposure monitoring for your organization.
Request a Demo