Google Threat Intelligence Group’s latest reporting on Chinese-language phishing-as-a-service (PhaaS) is a useful reminder that modern phishing is no longer just a fake login page and a stolen password. The more dangerous trend is real-time fraud infrastructure: kits that can capture credentials, intercept one-time passcodes, and help attackers provision stolen payment cards into digital wallets before defenders or victims can react.
The original GTIG report is worth reading here: The Evolution of Chinese-language Phishing Services.
What Google reported
GTIG analyzed a set of mature Chinese-language PhaaS offerings advertised in criminal communities. The notable shift is not simply that phishing kits are getting prettier. It is that the ecosystem is becoming more operationally complete: phishing templates, hosting, domain services, message delivery, stolen data brokerage, money movement, and real-time operator panels are increasingly bundled together.
Several tactics stand out for defenders:
- Real-time OTP interception: attackers use live panels to interact with the victim session as credentials and one-time codes are entered.
- RCS and iMessage delivery: encrypted messaging channels can make malicious-link filtering harder than traditional SMS inspection.
- Digital wallet monetization: the goal is often not just account access, but tokenizing a stolen payment card onto an attacker-controlled device.
- AI-assisted page generation: some services can generate localized, high-fidelity phishing pages faster than static blocklists can keep up.
Why this matters for SMBs and government contractors
Small businesses and subcontractors often assume that MFA is the finish line. This report shows why that assumption is risky. MFA still matters, but push prompts, SMS codes, email codes, and time-based one-time passwords can all be abused when an attacker controls the timing and social engineering flow.
For government contractors, the risk is bigger than consumer banking fraud. The same real-time phishing model can be adapted to Microsoft 365, Google Workspace, VPN portals, payroll platforms, remote monitoring tools, and contractor-facing procurement systems. If an attacker can capture a session token or walk a user through a live login, the breach may look like legitimate access until data is already gone.
Defensive priorities
1. Move away from phishable MFA where possible
Hardware-backed passkeys, FIDO2 security keys, and platform authenticators tied to the legitimate domain provide better resistance against adversary-in-the-middle phishing than codes that users can type into a fake page.
2. Treat new device enrollment as a high-risk event
If a user suddenly enrolls a new authenticator, mobile device, digital wallet, or unfamiliar browser session, that should trigger alerting and review. Attackers increasingly monetize access by adding their own trusted device rather than repeatedly stealing the same password.
3. Monitor impossible travel and session anomalies
Look for fresh sessions from new geography, new ASN, unusual device fingerprints, atypical user agents, or rapid transitions from login to mailbox export, cloud file access, payment changes, or administrative actions.
4. Harden financial and identity workflows
Do not let a single phished account approve payment changes, payroll edits, vendor bank updates, or privileged access requests. Require out-of-band verification for high-impact changes, especially when the request arrives through email or messaging.
5. Train users on timing-based social engineering
Users should understand that “enter this code right now” is exactly the situation attackers want. Training should focus less on spotting ugly emails and more on slowing down urgent login, payment, shipping, and account recovery prompts.
Bulwark Black assessment
The practical lesson is simple: phishing defense has to move from page detection to transaction defense. Blocking known malicious domains is still useful, but it will not stop a localized, rapidly generated page delivered through a trusted messaging channel and operated in real time.
Organizations should prioritize phishing-resistant MFA for administrators and finance users first, then expand outward. Pair that with session monitoring, new-device controls, and approval workflows that assume at least one employee will eventually be socially engineered. That is the difference between a stolen password and a contained incident.
