25-12-16, 1:23 p.m.

BlackForce phishing kit hijacks users’ login sessions in real time, capturing credentials and one-time MFA codes directly in the browser. Already used against major brands, it shows how attackers are bypassing traditional security protections with advanced techniques.

A newly identified phishing operation called BlackForce is showing how far modern cyberattacks have evolved, and why many traditional security controls are no longer enough on their own. Unlike older phishing campaigns that simply steal usernames and passwords, BlackForce is designed to defeat multi-factor authentication by intercepting users in real time during the login process.

First observed in 2025, BlackForce is a commercially sold phishing kit that enables attackers to conduct Man-in-the-Browser attacks. These attacks allow criminals to sit between a user and a legitimate website, capturing credentials and one-time verification codes as they are entered. Even when MFA is enabled, attackers can still gain full account access by harvesting the authentication code the moment it is generated.

The tool has already been used in attacks against major, recognizable brands, which highlights how convincing and effective these campaigns have become. Victims are directed to login pages that appear completely legitimate. Once credentials are entered, the attacker immediately attempts to access the real service. When an MFA prompt appears, the victim is shown a fake verification screen inside their browser session, unknowingly handing over the code needed to complete the breach.

What makes BlackForce especially difficult to detect is how well it blends in with normal web activity. The phishing pages rely heavily on legitimate web frameworks, making malicious traffic look ordinary to many security tools. The kit is also frequently updated and includes protections that block security scanners and analysis tools, allowing campaigns to remain active longer.

This type of attack underscores a critical reality for businesses today: security controls cannot operate in isolation. MFA alone is no longer a guarantee of protection, and phishing has moved far beyond poorly written emails and obvious fake websites. Modern attacks are designed to exploit trust, timing, and gaps between security layers.

At Upside Business Technologies, we help organizations reduce their exposure to threats like this by taking a proactive, layered approach to cybersecurity, including:

• Monitoring for abnormal login behavior and suspicious authentication activity

• Strengthening identity and access controls beyond basic MFA

• Reducing phishing risk through preventative security measures and user awareness

• Detecting and responding quickly when credentials or sessions are compromised

In a threat landscape where attackers continue to innovate, having the right security strategy and experienced support in place can make the difference between a blocked attempt and a serious incident.