A sophisticated credential-theft operation is deploying Cloudflare’s anti-bot technology to shield its own attacks from security scanners, revealing how far phishing-as-a-service has evolved.
Security analysts have long relied on automated scanners to map the phishing landscape: crawling suspicious domains, cataloging fake login pages, flagging credential-harvesting infrastructure before it ensnares victims. The assumption underlying this approach seemed reasonable: attackers build their sites for human targets, which means automated tools can observe the same malicious content humans would encounter.
That assumption is dissolving. A phishing kit called Tykit, documented in October 2025 by researchers at ANY.RUN, represents a new operational maturity in credential theft. The kit doesn’t simply impersonate Microsoft 365 login pages; it actively defends itself against the security tools designed to detect it. When automated scanners attempt to visit a Tykit phishing site, they encounter Cloudflare’s Turnstile CAPTCHA—the same anti-bot verification that legitimate websites use to filter out malicious traffic. The attackers have weaponized defensive infrastructure.
The kit first appeared in sandbox environments in May 2025, with activity peaking between September and October. ANY.RUN observed approximately 180 related samples across their analysis platform, all sharing nearly identical patterns: template-based infrastructure, identical attack scenarios, and consistent command-and-control endpoints. The targets span finance, construction, IT, government, and telecommunications sectors across North America, Europe, Latin America, Southeast Asia, and the Middle East. This isn’t opportunistic phishing. It’s industrialized credential harvesting.
SVG files as invisible attack vectors
The initial delivery mechanism reveals the operational sophistication at work. Tykit doesn’t rely on obvious malicious attachments; instead, it hides JavaScript payloads inside SVG files—a vector that most email security gateways treat as harmless images. The technical implementation is elegant in its simplicity: the SVG embeds obfuscated code that uses XOR encoding to reconstruct a redirect payload, then executes it directly via JavaScript’s eval() function to push victims toward the credential harvesting infrastructure.
Security researchers at Cloudflare have documented a broader surge in SVG-based phishing throughout 2025, noting that the format’s XML-based structure allows attackers to embed scripts and event handlers that execute when files are opened. Microsoft responded by blocking inline SVG images in Outlook in September 2025, a tacit acknowledgment of how effectively the technique bypasses traditional attachment filtering. For Tykit’s operators, the format offers ideal cover: files that look benign, render correctly as images, and carry weaponized code that security tools struggle to identify.
When attackers deploy enterprise security tools
The most consequential innovation in Tykit isn’t the phishing page itself; it’s the gate that precedes it. Before victims reach the credential-harvesting form, the attack chain routes through a trampoline redirect and presents Cloudflare’s Turnstile widget. This CAPTCHA challenge is specifically designed to distinguish human visitors from automated systems. Legitimate websites deploy it to protect against bot traffic. Tykit deploys it to protect against security researchers.
The implications for brand protection are significant. Organizations that rely on automated scanning to detect phishing sites impersonating their brands may find their tools stopped at the front door, completely unaware of the credential theft occurring behind the CAPTCHA. This pattern of weaponizing trust signals extends beyond CAPTCHAs to include SSL certificates, professional design, and other markers that once distinguished legitimate sites from fraudulent ones. The kit also includes anti-debugging measures that block keyboard combinations used to open browser developer tools, a clear indication that the operators anticipate analysis attempts and have designed countermeasures accordingly.
This represents a tactical inversion that defenders must reckon with: the same technologies enterprises deploy to protect their own infrastructure are now shielding attackers. Security tools that worked reliably for years are increasingly blind to threats that have learned to weaponize trust signals.
The architecture of distributed credential theft
Tykit’s infrastructure reflects the operational maturity of modern phishing-as-a-service platforms. The phishing pages themselves are hosted on templated domains with names that appear algorithmically generated—patterns like loginmicr0sft0nline followed by random strings ending in .cc. Stolen credentials, however, flow to entirely separate command-and-control servers, typically using domains containing “segy” in their naming patterns. This separation of concerns complicates takedown efforts: eliminating a phishing page leaves the C2 infrastructure intact, allowing operators to spin up replacement front-ends with minimal disruption.
The kit also implements adversary-in-the-middle capabilities designed to bypass multi-factor authentication. When victims enter credentials on the fake Microsoft 365 page, the system validates them in real time against the legitimate Microsoft infrastructure. If MFA is required, the phishing page requests the one-time code, passes it through to Microsoft, and captures the resulting session token. For organizations that consider MFA their ultimate backstop against credential compromise, the technique represents a sobering escalation. As we’ve documented in our analysis of fraud-as-a-service ecosystems, these capabilities are now packaged and sold as turnkey solutions.
What the Tykit pattern signals for defenders
The economics of credential phishing have shifted decisively in attackers’ favor. A kit like Tykit lowers the barrier to entry for launching sophisticated, globally targeted campaigns. The operator doesn’t need to understand the technical implementation; they need only subscribe to the service, configure their target brands, and distribute phishing lures. The infrastructure handles evasion, credential validation, MFA bypass, and data exfiltration automatically.
For security teams, the pattern demands a rethinking of detection approaches. Static domain blocklists offer diminishing value when domain names are generated algorithmically and churned continuously. Automated scanning loses effectiveness when phishing pages deploy bot-filtering technology. Brand protection that waits for threats to go live and hit victims arrives too late when attack infrastructure can be operational within hours and credentials exfiltrated within minutes. The 9-hour detection gap that characterizes legacy security tools becomes an insurmountable disadvantage against infrastructure designed for speed.
The companies being impersonated—Microsoft, in Tykit’s case, but the pattern applies broadly—face a compounding problem. Every successful credential theft erodes trust in the brand being spoofed, even when the brand itself had no vulnerability. The external attack surface extends beyond the perimeter into a landscape that traditional security architectures weren’t designed to monitor.
The Bottom Line
Tykit isn’t an anomaly; it’s a signal. The kit demonstrates that phishing operations have matured into professional services with operational security practices, infrastructure resilience, and evasion techniques that rival legitimate software development. The use of Cloudflare Turnstile as a defensive measure marks a threshold: attackers are no longer simply impersonating brands, they’re deploying the same enterprise tools organizations use to protect themselves.
The question for defenders isn’t whether to adapt, but how quickly. Detection approaches built for a simpler threat landscape will continue to degrade as phishing kits incorporate more sophisticated evasion. The organizations that maintain visibility into this shifting terrain will be those that invest in understanding not just what attackers are targeting, but how they’re building the infrastructure to reach those targets.
Key Takeaways
Tykit is a phishing-as-a-service kit that targets Microsoft 365 credentials using SVG file delivery, anti-bot CAPTCHA protection, and adversary-in-the-middle MFA bypass. It represents the operational maturity of modern credential theft, with infrastructure designed specifically to evade security scanners and brand protection tools.
The kit deploys Cloudflare’s Turnstile CAPTCHA to filter out automated security scanners, ensuring only human victims reach the phishing page. It also uses obfuscated JavaScript hidden in SVG files, algorithmically generated domain names, and anti-debugging measures that block developer tools.
Tykit has targeted organizations across finance, construction, IT, professional services, government, and telecommunications in the United States, Canada, Latin America, Europe, Southeast Asia, and the Middle East. The breadth of targeting indicates a commercial phishing-as-a-service model rather than targeted attacks against specific organizations.
Tykit includes adversary-in-the-middle capabilities that intercept MFA codes in real time. When victims enter one-time passwords on the phishing page, the kit passes them to the legitimate Microsoft service and captures the resulting session token. MFA provides meaningful protection but is not an absolute defense against sophisticated phishing operations.
Organizations relying solely on automated scanning to detect brand impersonation may miss phishing sites that deploy bot-filtering technology. Effective brand protection now requires approaches that can analyze page behavior and structure rather than simply crawling domains, combined with rapid response capabilities that can disrupt attack infrastructure before credentials are harvested.
