"domains and tracking associated activity as it has evolved. our security team has worked with hosting providers and registrars to pursue takedowns of malicious lookalike sites. as noted in this report, phishing infrastructure frequently rotates, and monitoring and disruption effo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
85%
"we observed a similar lure being used purporting to be watchtower claiming that the user ' s login credentials needed to be updated. evolution of the 1phish kit analysis of captured dom snapshots between september 2025 and february 2026 reveals deliberate iteration across four di…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
74%
"rather than simple template reuse. each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting. while we have not observed new lure themes associated with the mos…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
73%
"hook, line, and vault : a technical deep dive into the 1phish kit key points and observations - the 1phish kit evolved between september 2025 and february 2026 from a basic credential harvester into an mfa - aware, multi - stage phishing kit targeting 1password users. - we have n…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
"rather than simple template reuse. each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting. while we have not observed new lure themes associated with the mos…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
"shows how phishing kits targeting password managers are maturing. what began in september 2025 as a basic credential harvester evolved into an mfa - aware workflow, and in v4 has become a structured, api - driven phishing application with active bot filtering and staged credentia…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
"hook, line, and vault : a technical deep dive into the 1phish kit key points and observations - the 1phish kit evolved between september 2025 and february 2026 from a basic credential harvester into an mfa - aware, multi - stage phishing kit targeting 1password users. - we have n…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1111Multi-Factor Authentication Interception
54%
"hook, line, and vault : a technical deep dive into the 1phish kit key points and observations - the 1phish kit evolved between september 2025 and february 2026 from a basic credential harvester into an mfa - aware, multi - stage phishing kit targeting 1password users. - we have n…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1111Multi-Factor Authentication Interception
48%
"domains and tracking associated activity as it has evolved. our security team has worked with hosting providers and registrars to pursue takedowns of malicious lookalike sites. as noted in this report, phishing infrastructure frequently rotates, and monitoring and disruption effo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1556.006Multi-Factor Authentication
35%
"rather than simple template reuse. each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting. while we have not observed new lure themes associated with the mos…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
33%
"shows how phishing kits targeting password managers are maturing. what began in september 2025 as a basic credential harvester evolved into an mfa - aware workflow, and in v4 has become a structured, api - driven phishing application with active bot filtering and staged credentia…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1111Multi-Factor Authentication Interception
32%
"shows how phishing kits targeting password managers are maturing. what began in september 2025 as a basic credential harvester evolved into an mfa - aware workflow, and in v4 has become a structured, api - driven phishing application with active bot filtering and staged credentia…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users.