New 2FA phishing kit Astaroth threatens user logins

The history of computing has been marked by an arms race between cyber criminals and security professionals, each seeking to outdo the other and gain a precious advantage – leading to constant innovations on both sides. With phishing kit Astaroth seeking to bypass the protection provided by two-factor authentication (2FA), this blog looks at exactly how the cyber threat works and how you can avoid falling victim.

What is MFA and 2FA?

Passwords have been the default way to secure devices and digital information for many decades, with combatting attempts to bypass them being a core part of both IT and cyber security. Many websites and applications encourage people to vary their passwords on each occasion one is needed, as well as to use stronger ones – preferably long, containing a mixture of letters, numbers, and punctuation, and not containing information related to the user.

Because even the most complex passwords are at risk of being cracked, multi-factor authentication (MFA) emerged as a common way to strengthen digital protection. MFA is where users are only granted access to a website, device, or application after submitting two (where it may be known as 2FA) or more pieces of evidence. The layers of protection that need to be bypassed may be any combination of password, security question, biometrics, code sent by text or email, USB stick, and many more.

What is the latest threat to 2FA?

All the above layers of security make it harder to obtain unauthorised access to a system, but unfortunately plenty of methods to do so exist. For example, scammers may contact potential victims pretending to be from a reputable organisation, to get them to reveal details such as passwords, security questions, and the codes sent to their contact details.

First emerging in late January 2025, attackers have found a way to bypass 2FA and gain access to accounts by tricking users into entering their credentials on fake login pages. The Astaroth phishing kit enables its users to capture the 2FA details of victims in real time by mimicking webpages, simultaneously capturing login data from the fake website and using it to login themselves on the real website.

How the attack works:

1. You receive an email with a link claiming to be for an organisation like Microsoft, Gmail, Yahoo etc.
2. The link takes you to a webpage that looks official, with a valid certificate and matching branding.
3. When you enter your login details, the website acts as a middleman, stealing your session and allowing the attacker to access your account, even if you have 2FA enabled.

This may seem familiar, but the difference with Astaroth is its ability to capture 2FA details. This sets it apart from traditional phishing kits, which only use a static login page to capture passwords, without being able to move on to replicated pages for capturing other details.

What can be done?

The first line of defence against phishing and other cyber threats is user awareness and vigilance. To protect oneself against the latest threat, users should:

• Be cautious of unexpected login requests, especially from emails urging immediate action.
• Always check the URL before entering your credentials. For example, Microsoft logins should always be at https://login.microsoftonline.com.
• If you're unsure whether a link is legitimate, contact your IT team before clicking.

Cyber criminals are constantly evolving their methods meaning it is vital to stay informed and be cautious. At FluidOne we provide training services to keep your people aware about threats to their security, as we know it can be all too hard to keep up with the changing dangers out there. We also provide a variety of other services from MFA and mobile device management (MDM), to private networking technologies and managed services, to keep you and your data safe.

To find out more, contact us today to talk to our experts about your IT security needs.