Multi-Hop Phishing: 
Kits, Clouds, and Chained Attacks

Phishing has gotten harder to catch.

Attackers are no longer relying on obvious fake pages. They are routing campaigns through legitimate domains, trusted cloud services, and sophisticated phishing kits designed to bypass detection at every layer.

In this 45-minute technical session, LevelBlue SpiderLabs researcher Karla Agregado breaks down a pattern she has been tracking across recent phishing campaigns: the convergence of compromised domains, abused cloud services, and advanced phishing kits like Tycoon 2FA working together to obscure the true destination from users and security tools alike.

In this session, you'll learn:

• How attackers abuse legitimate domains, cloud services, and CAPTCHA tools as redirection layers

• How compromised domains provide cover inside active phishing campaigns

• How Tycoon 2FA kits work and why their use is growing

• The full attack chain from initial arrival to final phishing URL

• The indicators that reveal what automated tools often miss

Speaker: Karla Agregado, Security Researcher, LevelBlue

📅 Thursday, June 11 , 2026 | 10:00PM CT