SHADOWCORE_
Back to Blog
phishing social engineering email security MFA bypass threat intelligence

Anatomy of a Phishing Attack: How Attackers Steal Your Credentials in 2026

ShadowCore Threat Intelligence Team

Phishing remains the #1 initial access vector in 2026. We dissect modern phishing techniques — from AI-generated lures to adversary-in-the-middle attacks that bypass MFA — and show how to build layered defenses that actually work.

Every major breach you read about in the news has one thing in common: it almost always starts with a phishing email. According to ENISA's 2025 Threat Landscape report, phishing and social engineering account for over 74% of initial access vectors in confirmed breaches across Europe. Despite billions spent on email security, the human factor remains the weakest — and most exploited — link in the chain.

In this post, we break down how modern phishing attacks work in 2026, why legacy defenses fail, and what your organization can do to build real resilience.

Why Phishing Still Works in 2026

Phishing has evolved far beyond the "Nigerian prince" emails of the early 2000s. Today's campaigns are sophisticated, targeted, and increasingly automated with generative AI. Here's why they continue to succeed:

AI-Generated Lures Are Indistinguishable From Legitimate Emails

Attackers now use large language models to craft phishing emails that perfectly mimic corporate tone, include contextually relevant details scraped from LinkedIn and company websites, and contain zero grammatical errors. The old advice of "look for spelling mistakes" is no longer a reliable indicator. A threat actor can generate hundreds of unique, personalized lures in minutes — each one tailored to a specific employee's role, department, and recent activity.

Legitimate Infrastructure Abuse

Modern phishing campaigns don't host malicious pages on sketchy domains. Instead, they abuse trusted platforms: Google Docs for credential harvesting forms, Microsoft Azure blob storage for hosting fake login pages, Cloudflare Workers for proxying requests, and legitimate email marketing platforms for delivery. Because these services are inherently trusted by email gateways and web filters, the phishing infrastructure often bypasses technical controls entirely.

Multi-Channel Attacks

Phishing is no longer limited to email. Attackers coordinate campaigns across SMS (smishing), voice calls (vishing), Microsoft Teams messages, Slack DMs, and even QR codes placed in physical locations. The 2025 MGM-style attacks demonstrated how a single vishing call to a helpdesk — combined with social media reconnaissance — can compromise an entire enterprise. Your email security gateway doesn't protect any of these channels.

The Five Stages of a Modern Phishing Attack

Understanding how a phishing attack unfolds is essential for building effective defenses. Here's the typical kill chain we observe in our incident response engagements:

Stage 1: Reconnaissance

The attacker identifies the target organization and gathers intelligence. They scrape employee names and titles from LinkedIn, study the company's email format (first.last@company.com), identify key vendors and partners from press releases, and map out the technology stack from job postings and DNS records. This phase can be fully automated and takes minutes for a skilled attacker.

Stage 2: Weaponization

Using the intelligence gathered, the attacker builds the phishing infrastructure. This includes registering lookalike domains (shadowc0re.io vs shadowcore.io), deploying a reverse proxy toolkit like Evilginx or Modlishka for real-time credential and session token interception, creating a convincing pretext (invoice from a known vendor, password expiry notice, shared document notification), and setting up email delivery infrastructure with valid SPF/DKIM records.

Stage 3: Delivery

The phishing message reaches the target. To bypass email security, attackers employ several evasion techniques: sending from compromised legitimate accounts (Business Email Compromise), using URL shorteners or redirect chains to hide the final destination, embedding links in PDF or HTML attachments rather than the email body, time-delaying the weaponization of linked pages (clean at scan time, malicious when clicked), and abusing OAuth consent flows to gain persistent access without needing passwords at all.

Stage 4: Credential Harvesting and MFA Bypass

This is where most organizations believe MFA will save them — and where they're wrong. Modern adversary-in-the-middle (AiTM) toolkits act as a transparent proxy between the victim and the real login page. The victim enters their credentials and completes the MFA challenge on what appears to be the legitimate site. The proxy captures both the credentials and the authenticated session cookie in real time. The attacker then replays the session cookie to access the account, completely bypassing MFA. This technique works against SMS codes, authenticator apps, and push notifications. Only phishing-resistant MFA methods like FIDO2/WebAuthn hardware keys are immune to AiTM attacks.

Stage 5: Post-Compromise Actions

Once inside, the attacker moves fast. Within the first hour they typically set up email forwarding rules to maintain visibility, search the mailbox for sensitive data (financial records, credentials, VPN configs), launch internal phishing campaigns from the compromised account (which are implicitly trusted by colleagues), register new MFA devices for persistence, and access connected cloud applications (SharePoint, OneDrive, Salesforce) using the stolen session. The median dwell time from initial phishing to data exfiltration is now under 4 hours — faster than most SOC teams can detect and respond.

Real-World Attack Pattern: The AiTM Session Hijack

Let's walk through a concrete example from a recent ShadowCore incident response engagement. A finance team member received an email appearing to come from their CEO, requesting an urgent review of a quarterly report. The email contained a link to what appeared to be a Microsoft SharePoint page. The domain was legitimate-looking and the SSL certificate was valid. After clicking, the user saw a standard Microsoft login page and entered their credentials plus MFA code.

Behind the scenes, an Evilginx proxy captured the session cookie in real time. Within 12 minutes, the attacker logged into the victim's Microsoft 365 account from an IP in a different country. They created inbox rules to hide security alerts, downloaded 2,400 emails from the finance shared mailbox, and sent internal phishing emails to three other executives — all within 47 minutes of the initial compromise. The attack was only detected when one of the targeted executives reported the internal phishing email as suspicious.

Why Legacy Defenses Fail

Most organizations rely on a combination of email security gateways, URL reputation filtering, and security awareness training. While these are necessary baseline controls, they are insufficient against modern phishing for several reasons.

Email gateways rely on known indicators (blocklisted domains, signature-based detection). Fresh phishing infrastructure with no prior reputation sails right through. Time-delayed weaponization means the URL is clean when the gateway scans it.

URL filtering is rendered ineffective when attackers host phishing pages on trusted domains (google.com, blob.core.windows.net, sharepoint.com). You can't block Microsoft's own infrastructure without breaking legitimate business workflows.

Security awareness training helps, but human error is not eliminable. Even well-trained employees click malicious links at a rate of 3-5% in simulations — and in real attacks with high-pressure pretexts ("your account will be suspended", "urgent wire transfer required"), the click rate is much higher. Training alone is not a control — it's a layer.

Building Layered Anti-Phishing Defenses

Effective phishing defense requires a defense-in-depth approach that addresses every stage of the attack chain. Here's what we recommend to our clients:

1. Deploy Phishing-Resistant MFA

This is the single highest-impact control you can implement. Replace SMS and push-based MFA with FIDO2/WebAuthn security keys (YubiKey, Titan Key) or platform authenticators (Windows Hello, Apple Passkeys). These methods are cryptographically bound to the legitimate domain — they literally cannot be phished because the browser verifies the origin. Start with high-value targets: executives, finance, IT admins, and anyone with elevated privileges.

2. Implement Conditional Access Policies

Even if credentials are stolen, conditional access can limit the blast radius. Enforce device compliance checks (only managed devices can access corporate resources), restrict access from anomalous locations or impossible travel scenarios, require re-authentication for sensitive actions (accessing admin portals, downloading bulk data), implement session lifetime limits to reduce the window of exploitation for stolen session tokens, and use token binding where available to tie authentication tokens to specific devices.

3. Enable Advanced Email Authentication

Ensure your domain has strict DMARC enforcement (p=reject), properly configured SPF records, and DKIM signing. This prevents attackers from spoofing your exact domain in phishing campaigns targeting your employees, partners, and customers. Monitor DMARC reports to catch unauthorized email sources. Many organizations have DMARC set to p=none (monitoring only) for years — move to enforcement.

4. Monitor for Post-Compromise Indicators

Assume phishing will sometimes succeed and build detection for post-compromise activity. Alert on new inbox rules (especially forwarding to external addresses), suspicious OAuth application consent grants, MFA method changes, impossible travel logins, mass file downloads from SharePoint or OneDrive, and new email transport rules at the organization level. These detections catch attackers during the exploitation phase — often before data is exfiltrated.

5. Run Realistic Phishing Simulations

Stop running generic "click this link to win a gift card" simulations. Your phishing exercises should mirror real attack TTPs: use lookalike domains, craft role-specific pretexts, include AiTM proxy components to test whether credentials would have been captured, test non-email channels (Teams, SMS), and measure not just click rates but also report rates. The goal isn't to trick employees — it's to train the organizational immune system and validate your detection capabilities.

6. Establish a Rapid Response Playbook

When phishing is reported (and it should be — make reporting easy and blame-free), your SOC needs to act fast. A good phishing response playbook includes: immediate session revocation for the affected account, forced password reset and MFA re-enrollment, inbox rule audit and removal of any attacker-created rules, review of recent email activity for signs of internal phishing, check for OAuth app consents and remove suspicious ones, notification to any recipients of emails sent from the compromised account, and a forensic timeline to determine the full scope of access. The entire process from report to containment should take under 30 minutes.

The NIS2 Angle: Phishing and Regulatory Compliance

For organizations operating under NIS2 (which now covers most medium and large enterprises in the EU), phishing resilience isn't optional. NIS2 Article 21 requires "policies and procedures regarding the use of cryptography and, where appropriate, encryption" and "human resources security, access control policies and asset management." A phishing incident that leads to unauthorized access to critical systems may trigger the 24-hour early warning notification requirement under Article 23. Organizations that cannot demonstrate adequate anti-phishing measures — including phishing-resistant authentication, employee training, and incident response capabilities — may face enforcement actions and fines of up to 10 million EUR or 2% of global turnover.

Quick-Win Checklist for CISOs

  • Audit current MFA methods — identify accounts still using SMS or push-only MFA
  • Deploy FIDO2 keys to all privileged accounts within 30 days
  • Verify DMARC is set to p=reject (not p=none)
  • Enable alerts for new inbox forwarding rules and OAuth consent grants
  • Implement conditional access with device compliance and location restrictions
  • Schedule a realistic phishing simulation (not a generic template) within the next quarter
  • Review and test your phishing incident response playbook — time the process from report to containment

How ShadowCore Can Help

Our Red Team runs full-scope phishing engagements that go beyond simple click-rate metrics. We deploy real AiTM infrastructure, test your email security stack, attempt lateral movement from compromised accounts, and provide a detailed report mapping findings to MITRE ATT&CK techniques. Our SOC-as-a-Service monitors for post-compromise indicators 24/7, and our GRC team can help you align your phishing defenses with NIS2, ISO 27001, and DORA requirements.

Phishing is not a problem you solve once. It's an ongoing adversarial challenge that requires continuous testing, detection tuning, and process improvement. The organizations that treat it as such are the ones that don't end up in the headlines.