I’ve spent the past two years working on incident response and threat intelligence, and the pattern I’m about to describe is one I keep seeing show up in cases that should have been caught at the email gateway. The kit families change. The lure templates change. The constant is that phishing-as-a-service operators are buying aged legitimate domains and redeploying them to steal credentials from enterprise and government targets.
The most recent incident I worked involved a Sneaky2FA deployment running on 117 origin servers in Kansas City, Missouri, split across two hosting providers. The operator has been on the same infrastructure for over two years and runs lures against a mix of UK and US...