What is phishing?
Phishing is a social-engineering attack in which an attacker poses as a trusted entity to extract credentials, authentication data, or a harmful action. Today’s phishing increasingly targets the post-login session via adversary-in-the-middle techniques, intercepting the session cookie and sidestepping MFA.
The modern phishing landscape
Phishing in 2025–2026 is defined by scale and a shift to the session layer. SpyCloud recaptured 28.6 million phished identity records in 2025 – a 400% year-over-year increase – with nearly half (49%) belonging to corporate users.
The driver is AitM phishing delivered through phishing-as-a-service kits: the victim clicks a link, is proxied to the real site, logs in and completes MFA normally, and the proxy quietly captures the resulting session cookie before it reaches the browser. No visible sign of compromise, and MFA never helped.
How do I check which of my company’s credentials were captured by phishing?
Run Check Your Exposure to see whether credentials and session tokens tied to your domain have been captured by phishing and exposed in the criminal underground. Modern phishing kits also capture session cookies and MFA tokens, so a password reset alone may not remediate the exposure.
Phishing captures are inputs, not endpoints
A successful phish is the start of something, which is why awareness training alone can’t carry the program:
- Phished credentials feed credential stuffing and targeted account takeover.
- Phished data gets bundled into leaked-credential combolists.
- AitM-captured cookies sell to access brokers who turn them into ransomware footholds.
- Add exposure monitoring. SpyCloud recaptures phished credentials and cookies from criminal channels – often within hours, before buyers act – and remediates the confirmed-affected identities via Phishing Exposure Remediation.
Types of phishing: email, spear, smishing, vishing, and AitM
Phishing spans several delivery methods, increasingly converging on session theft:
- Bulk email phishing – high-volume, generic lures cast wide.
- Spear phishing – targeted messages personalized with researched detail about a specific victim.
- Smishing and vishing – the same social engineering over SMS and voice, where there’s no URL to inspect.
- AitM phishing – the modern endpoint of all of them: a proxy that captures the post-login session cookie and bypasses MFA regardless of how the lure arrived.
Phishing now captures more than passwords.
See which credentials tied to your domain were taken.
Frequently Asked
It moved from credential capture to session capture. AitM phishing proxies intercept the authenticated session cookie issued after the victim completes a legitimate login, including MFA. The victim sees the real app while the attacker holds a valid post-authentication session. PhaaS kits have made this accessible at scale, contributing to the 400% surge in 2025.
Per SpyCloud’s 2026 report, nearly half (49%) of the 28.6 million phished records recaptured in 2025 belonged to corporate users – disproportionate to their share of internet users, because corporate credentials and sessions unlock enterprise applications, financial systems, and infrastructure.
Standard phishing captures the password a user types; MFA often stops the attacker. AitM uses a reverse proxy relaying real traffic to the legitimate service, letting the user complete MFA while the proxy captures the resulting session cookie – an artifact that has already passed every authentication control.