Preparing users for the newest wave of AI-powered phishing

In this article:

Phishing scams are now so skillful that only the most advanced forms of multi-factor authentication (MFA) offer reliable defenses. The situation is getting worse as attackers use AI tools to not only write phishing emails, but to "vibe phish" perfect replicas of legitimate login pages.

All the user training in the world can't thwart these attacks because everyone, even the most highly aware security researcher, falls for phishing scams eventually. The best solution is not a human one, but a technical one.

"Organizations can no longer rely on teaching users how to identify suspicious phishing sites based on imperfect imitation of legitimate services," wrote Houssem Eddine Bordjiba, an Okta Senior Identity Threat Research Engineer, and Paula De la Hoz, an Okta Cyber Threat Researcher, in a recent blog post. "The only reliable defense is to cryptographically bind a user's authenticator to the legitimate site they enrolled in."

To get that level of protection, users need to employ WebAuthn-based phishing-resistant authentication such as passkeys bound to consumers' laptops or smartphones, password managers that incorporate passkeys, or USB or near-field-communication (NFC) hardware keys like Yubikeys.

"We can't ask a normal person to be like, 'Hey, get a YubiKey," but your password manager probably supports WebAuthn," says Mat Woodyard, Director of Threat Intelligence at Okta. "Your device probably has biometrics [to confirm identity], so you could always use something built into iOS or Android to use something phishing-resistant for you."

In workplaces, phishing-resistant enterprise solutions like Okta FastPass are ideal. USB and NFC keys also work in the enterprise, although they'll need to be bought in bulk.

"As generative AI tools become more powerful and accessible," write Bordjiba and De la Hoz, "organizations and their security teams must adapt to the reality of AI-driven social engineering and credential harvesting attacks."

MFA meltdowns

In September 2025, Bordjiba chronicled the discovery of a phishing-as-a-service (PhaaS) framework that Okta calls VoidProxy.

Using a reverse proxy server, VoidProxy performs adversary-in-the-middle (AitM) attacks on sign-in processes. It defeats any form of MFA that uses temporary one-time passcodes (TOTPs), like those sent via text message or generated by authenticator apps, as well as identity challenges like "What was your mother's maiden name?" VoidProxy also defeats single-sign-on (SSO) schemes of the sort provided by Okta and others.

The attack starts by sending phishing emails from hijacked accounts on Constant Contact, Postmarkapp, and other commercial email service providers. Anyone who clicks on the shortened URLs embedded in the messages will be redirected several times before landing on a phishing page that looks like Google, Microsoft, Okta or other widely used online portals.

The login pages are fake, but the credentials typed into the pages are relayed to the real service, which grants entry and issues a session cookie.

The next thing users will see is the actual front page of the service they've just logged into. But the credentials and MFA one-time passcodes they typed in will have been captured by the crooks. So will the session cookies issued by the login servers to keep users logged in.

VoidProxy isn't some exotic tool that only the most elite cybercriminals have access to. It's sold as a service that any wannabe online crook with a couple of bucks (or rubles) can use.

"By offering this sophisticated PhaaS, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks," Bordjiba wrote. "Accounts compromised using PhaaS platforms facilitate numerous malicious activities such as Business Email Compromise (BEC), financial fraud, data exfiltration and lateral movement within victim networks."

There's a silver lining, he added: "In all attacks we observed, users enrolled in phishing-resistant authenticators (in this case, Okta FastPass) were unable to share credentials or sign-in via VoidProxy infrastructure, and were warned that their account was under attack."

Perfect phishing pages

In June 2025, Bordjiba and De la Hoz reported on how attackers were abusing Vercel V0, a freemium AI coding tool available online, to create impeccable clones of the log-in pages of widely used online services. There's an impressive video here of V0 being used to clone Okta's sign-in portal.

In the clip, an unseen user types, "Build a copy of the website login.okta.com," into the prompt field. The AI takes a moment to examine the Okta login page, summarizes its basic features, then quickly replicates them in HTML and JavaScript. At the end, the AI presents a flawless working clone of the Okta login page. The entire process takes about 45 seconds.

This is "a new evolution in the weaponization of Generative AI by threat actors," Bordjiba and De la Hoz say, as it can "generate a functional phishing site from simple text prompts."

Woodyard points out that due to this kind of AI assistance, you no longer need any coding expertise to create fully functioning, error-free phishing sites. He calls it "vibe phishing."

"You can use one prompt and then have your whole phishing infrastructure pretty much deployed almost immediately. It's very cool," he tells us. "The probability of seeing a targeted phishing campaign against your industry or your company has gone up quite a lot, and attackers are adapting tactics very, very quickly."

Bordjiba and De la Hoz's report noted that Vercel blocked access to the phishing sites and rooted out the "phishing page resources, including impersonated company logos, [that] were also hosted on Vercel's infrastructure."

 But the horse had already left the barn, so to speak. The report authors found that several public GitHub repositories hosted clones of the V0 application, and other repositories had DIY instructions to build similar tools. We can expect to see much more AI-assisted phishing.

"This open-source proliferation effectively democratizes advanced phishing capabilities, providing the tools for adversaries to create their own phishing infrastructure," Bordjiba and De la Hoz wrote. "Okta Threat Intelligence also observed threat actors abusing the Vercel platform to host multiple phishing sites impersonating legitimate brands, including Microsoft 365 and cryptocurrency companies."

Creating flawless replicas of login pages is only part of a phisher's job. Capturing MFA codes and session cookies is more complicated, which is where something like VoidProxy comes into play.

There are less-exciting aspects of setting up phishing campaigns, such as collecting information on high-value targets, sending out emails en masse, or creating short-lived URLs to host the cloned login pages.

We asked Okta's Mat Woodyard whether V0 or other AI coding tools could help with those. Surprisingly, he told us AI might not make much difference because the back-end work is already so cheap and easy.

"It's very click-button, the deployment of phishing infrastructure," Woodyard says. "Obviously, AI does help this, but what we've seen is that a lot of these components will still be done independently. ... You don't need to reinvent the wheel if you can just buy a large dossier on somebody for next to nothing."

Highly targeted spear phishing does get a speed boost from AI, he says, as it can quickly churn out messages tailored to specific individuals that use open-source intelligence like information from a LinkedIn page.

"[AI] certainly lowers the bar to entry," Woodyard said. "You used to have to think about it and write it, and now you just get spear-phishing slop."

How to escape phishing's hook, line and sinker

To be fair, push notifications sent to smartphones during a sign-in process would also evade capture by VoidProxy and other TOTP catchers.

But their users would still be vulnerable to "push bombing," when attackers bombard the target with endless requests to confirm the login attempt until the user taps "Yes" out of exasperation. And VoidProxy might still be able to capture the session cookies sent back to the user from the authenticating server.

Only forms of authentication that use the WebAuthn protocol are safe, as the cryptographic exchange at the heart of the protocol won't happen unless the user's device is connected to a specific web server. Weaker forms of MFA won't cut it.

Passkeys can be used on their own as a single factor of authentication. More often you'll see them combined with facial or fingerprint scans on smartphones or the device-bound PIN on Windows PCs to create a much stronger form of MFA.

"If you have a mobile device with biometrics, or if you have FastPass or if you use passkeys, that'll force phishing resistance and multiple factors," says Woodyard. "If you're not able to do it, you're always going to be in that weakened position from a security-posture standpoint."

If WebAuthn is your last line of defense, the first line of defense against phishing and other forms of social engineering is to be wary of messages, whether in emails, chat apps or social media, that send you into panic mode and try to get you to take immediate action.

The messages don't need to contain attachments or even links. All they need to do is scare you enough so that you act against your better judgment.

Imagine a message, Woodyard says, that says your health insurance will be cut off unless you act immediately — and you already have health problems.

"Everybody's going to have their moment of weakness," he says. "Who amongst us would not fall for it?"

The key, he explains, is to catch your breath and think about what you're being presented with. No matter how genuine the message seems or how perfect the login page looks, step back and examine the situation fully. As another Okta expert puts it, it helps to become a "human firewall."

"There are always things that you can look at when it comes down to scams," Woodyard says. "What do they have in common? There's probably something high-pressure. There's probably something time-bound, where it's like, you have to do this right now."

Still, even the highest level of security awareness will only slow down, not stop, good phishing scams. When you've calmed down and the scare has passed, Woodyard says, then it's time to take action.

"When you are in a headspace where you can concentrate, get your technical controls in place, as an organization and as a person, and set up phishing-resistant authentication," Woodyard says. "I really think a technological solution is going to be more effective than awareness."