Back to Intelligence

Outsider Enterprise Takedown: Mitigating PaaS Phishing Risks and Detecting 2FA Bypass Kits

SA
Security Arsenal Team
June 15, 2026
6 min read

The recent takedown of ‘Outsider Enterprise’ by the FBI and Google marks a significant disruption in the cybercriminal ecosystem, but it is far from the end of the threat. As a Phishing-as-a-Service (PaaS) platform, Outsider Enterprise lowered the barrier to entry for threat actors, facilitating the theft of nearly 4 million credit cards and causing approximately $1.9 billion in losses. The platform automated the creation of over 9,000 social engineering sites, many utilizing advanced techniques to bypass Multi-Factor Authentication (MFA).

For SOC analysts and defenders, this serves as a critical reminder: the infrastructure may be seized, but the TTPs (Tactics, Techniques, and Procedures) have been commoditized and will resurface. We must shift our focus from blocking static indicators to hunting for the behavioral signatures of modern phishing kits.

Technical Analysis

Threat Overview: Outsider Enterprise operated as a sophisticated PaaS, providing cybercriminals with pre-packaged phishing site templates and hosting infrastructure. Unlike traditional phishing campaigns that relied on mass-blasting generic emails, this service emphasized high-fidelity site replication and automation.

Attack Chain & Mechanics:

  1. Initial Access: Victims are typically lured via social engineering (SMS, email, or voice) to links hosted on the Outsider Enterprise infrastructure.
  2. Credential Harvesting: The sites replicated legitimate login portals (financial, crypto, email) with pixel-perfect accuracy.
  3. C2 & Exfiltration: A defining characteristic of modern kits like Outsider is the use of mainstream communication platforms—specifically Telegram—for Command and Control (C2). Instead of setting up proprietary servers, attackers use Telegram bots to receive stolen credentials and one-time passwords (OTPs) in real-time. This makes C2 traffic difficult to distinguish from legitimate user traffic.
  4. MFA Bypass: Many of the 9,000 sites likely employed "reverse proxy" techniques (e.g., Evilginx2 style adaptations) or man-in-the-middle (MitM) automation to intercept session cookies, rendering 2FA ineffective.

Affected Assets: While the specific domains are seized, the methodology targets any organization relying on username/password authentication with MFA. Financial services and healthcare sectors remain prime targets due to the high liquidity of stolen data.

Detection & Response

To defend against the successor infrastructure that will inevitably replace Outsider Enterprise, we must hunt for the behavioral artifacts of these kits. The following rules focus on the ubiquitous use of Telegram for data exfiltration in modern phishing campaigns and the process patterns used to deploy these kits.

Sigma Rules

YAML
---
title: Potential Phishing Kit C2 via Telegram API
id: 8a2c4d1e-5f6b-4a7c-9e1d-2f3a4b5c6d7e
status: experimental
description: Detects potential use of Telegram API for C2 communication, often used by modern phishing kits like Outsider Enterprise to exfiltrate credentials.
references:
 - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.command_and_control
 - attack.t1071.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   DestinationHostname|contains:
     - 'api.telegram.org'
   Initiated: 'true'
 filter_legitimate:
   Image|endswith:
     - '\Telegram.exe'
     - '\telegram-desktop.exe'
     - '\chrome.exe'
     - '\msedge.exe'
     - '\firefox.exe'
 condition: selection and not filter_legitimate
falsepositives:
 - Legitimate use of Telegram by non-standard approved clients (rare in enterprise)
level: high
---
title: Suspicious PowerShell Base64 Encoded Web Request
id: 9b3d5e2f-6g7h-5i8j-0k1l-3m4n5o6p7q8r
status: experimental
description: Detects PowerShell processes making web requests using Base64 encoded commands, a common method to initialize phishing kits or download malicious payloads.
references:
 - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith: '\powershell.exe'
   CommandLine|contains:
     - 'Invoke-WebRequest'
     - 'IWR'
     - 'wget'
     - 'curl'
   CommandLine|matches: '-EncodedCommand\s*\w+'
 condition: selection
falsepositives:
 - System management scripts
 - Legacy software installers
level: medium
---
title: Browser Process Spawning Suspicious Child Process
id: 0c4e5f6a-1b2c-3d4e-5f6a-7b8c9d0e1f2a
status: experimental
description: Detects browser processes spawning cmd, powershell, or wscript, indicative of successful phishing drive-by download or session hijack execution.
references:
 - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1204
logsource:
 category: process_creation
 product: windows
detection:
 selection_parent:
   Image|contains:
     - '\chrome.exe'
     - '\msedge.exe'
     - '\firefox.exe'
 selection_child:
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\wscript.exe'
     - '\cscript.exe'
 condition: selection_parent and selection_child
falsepositives:
 - Legitimate file downloads or user-initiated scripts
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to Telegram API from non-browser processes
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe", "telegram-desktop.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc

// Hunt for high-entropy domain access (Potential Phishing Kit)
// Phishing kits often generate randomized subdomains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| parse RemoteUrl with Protocol "://" Host "/" Path
| extend Subdomain = tostring(split(Host, ".")[0])
| where strlen(Subdomain) > 10 // Heuristic for generated subdomains
| summarize count() by Host, DeviceName
| where count_ < 5 // Focus on rare, one-off domains typical of targeted phishing

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes connecting to Telegram IPs or Domains
-- This identifies potential C2 activity from phishing kits
SELECT *
FROM chain(
  SELECT 
    Pid, 
    Name, 
    CommandLine, 
    Exe,
    Username
  FROM pslist()
)
WHERE Name =~ "powershell.exe" OR Name =~ "cmd.exe"

-- Cross-reference with network connections to Telegram
LET TelegramProcesses = SELECT Pid FROM pslist() WHERE Name =~ "telegram.exe"

SELECT 
  F.Pid, 
  F.RemoteAddress, 
  F.RemotePort, 
  P.Name, 
  P.CommandLine
FROM netstat() AS F
LEFT JOIN pslist() AS P ON F.Pid = P.Pid
WHERE F.RemoteAddress IN ip_ranges("149.154.160.0/20", "91.108.4.0/22")
  AND P.Name NOT IN $TelegramProcesses

Remediation Script (PowerShell)

PowerShell
# Block known Telegram C2 IP ranges at the firewall to mitigate phishing kit exfiltration
# Note: Verify business use of Telegram before executing
Write-Host "Hardening network against common Phishing-as-a-Service C2 infrastructure..."

$TelegramRanges = @("149.154.160.0/20", "91.108.4.0/22")
$RuleName = "Block Phishing C2 - Telegram"

# Remove existing rule if present to avoid duplicates
if (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue) {
    Remove-NetFirewallRule -DisplayName $RuleName
}

foreach ($cidr in $TelegramRanges) {
    New-NetFirewallRule -DisplayName $RuleName -Direction Outbound -Action Block -RemoteAddress $cidr -Profile Any -Enabled True -ErrorAction Stop
}

Write-Host "Firewall rules updated. Blocking outbound traffic to Telegram IP ranges."

# Force flush DNS cache to prevent resolution of seized Outsider Enterprise domains if still cached
Clear-DnsClientCache
Write-Host "DNS cache flushed."

Remediation

While the FBI and Google have seized the domains associated with Outsider Enterprise, defense requires a layered approach:

  1. Network Segmentation & Filtering: Implement the firewall rules provided above to block unauthorized communication to known C2 channels like Telegram IP ranges, if not business-critical. Utilize DNS filtering solutions (e.g., Cisco Umbrella, Palo Alto) to block newly registered domains (NRDs) for 24-48 hours, a common tactic for phishing kits.

  2. User Awareness & Reporting: The "social" in social engineering remains the primary vector. Conduct immediate training sessions highlighting the sophistication of modern phishing sites (pixel-perfect replication). Emphasize that MFA codes should never be entered on a site accessed via a link.

  3. Session Hygiene: Encourage users to actively log out of sensitive sessions and close inactive browser tabs to reduce the window of opportunity for session hijacking.

  4. Asset Discovery: Perform a sweep of your external attack surface to ensure no spoofed domains of your organization are currently active. Register typosquatting domains relevant to your brand.

  5. IOC Integration: While the 9,000 specific domains are seized, add any newly identified IOCs related to "Outsider" kits to your blocklists immediately.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachphishingoutsider-enterprisesocial-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action