This new email scam bypasses 2FA and steals your identity

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

According to a recent report by SlashNext on a new phishing kit called “Astaroth,” those “verify your account” emails lurking in your inbox just became significantly more dangerous.

These emails, often appearing to be from legitimate sources like Google or Microsoft, typically request you to sign in due to a vague security concern. Clicking on the included links, however, can now have severe consequences.

Astaroth, a $2,000 phishing kit, is designed to compromise login credentials, 2FA codes, and session cookies through a sophisticated man-in-the-middle attack deployed on infected devices, effectively bypassing 2FA.

This is not a simple scam; it’s a highly advanced operation capable of capturing sensitive information in real time. For more details, refer to the SlashNext report here.

How This Email Nightmare Works

It starts innocently enough – you get an email that looks legitimate (and these days, they really do look legitimate). Maybe it’s telling you your Outlook password is about to expire, or that someone tried to sign into your Gmail account.

You click the helpful “verify here” button and boom – you’re looking at what appears to be a legitimate Google, Microsoft, or Yahoo login page. Except it’s not. It’s actually a clever man-in-the-middle attack that’s about to ruin your day.

The truly terrifying part? This new attack uses a reverse proxy mechanism that sits between you and the real login page, basically becoming an invisible middleman that captures everything in real-time.

And when we say everything, we mean everything – your password, that 2FA code you just typed, and even your session cookies.

Why This Is Actually Worse Than It Sounds

Traditional phishing kits are like using a fishing rod to catch one fish at a time. Astaroth is more like dropping dynamite in the lake.

According to security researchers, this bad boy can bypass 2FA defenses with “remarkable speed and precision,” making those old-school phishing attempts look like child’s play.

The worst part? The attackers get instant notifications through their web panel and Telegram when they’ve caught a victim. It’s like DoorDash, but for stealing your digital identity.

Look, I’m not here to just spread doom and gloom. Here’s how to keep your digital life from becoming another Astaroth success story:

1. Stop clicking random links, seriously. I know that email claiming you’ve won a free Tesla is tempting, but come on.
2. Always go directly to websites by typing their URLs. Yes, it’s more work. No, I don’t care.
3. If you absolutely must click a link (you shouldn’t), check that URL like your life depends on it. Because your digital one kind of does.
4. Consider switching to passkeys where available – they’re actually proving more resistant to these types of attacks.

The Bottom Line

For just $2,000, cybercriminals can now get their hands on a tool that renders your 2FA useless.

The kit even comes with six months of updates, because apparently even cybercriminals offer better customer service than most tech companies these days.

Security experts warn that with AI making phishing attempts increasingly sophisticated, these attacks will only get harder to spot.

So while 2FA isn’t completely useless (yet), maybe it’s time we all started taking our digital security a bit more seriously.

Have you encountered suspicious “verify your account” emails lately? We’d love to hear your experiences and security strategies! Share your thoughts in the comments below.

Kevin Raposo

Kevin is KnowTechie's founder and executive editor. With over 15 years of blogging experience in the tech industry, Kevin has transformed what was once a passion project into a full-blown tech news publication. Shoot him an email at kevin@knowtechie.com.