Phishing Kits & PhaaS
What Is LogoKit?
LogoKit is a JavaScript-based phishing kit that dynamically generates phishing pages by fetching target company logos in real-time using Clearbit and Google's favicon API.
LogoKit is a JavaScript-based phishing kit that dynamically generates phishing pages by fetching target company logos in real-time using Clearbit and Google's favicon API. First identified in 2021 when it was discovered on over 700 unique domains within 30 days (300 in a single week), according to KnowBe4 reporting, the kit has evolved to use multiple evasion techniques and can be hosted on compromised sites or legitimate CDNs. As of February 2025, domains using LogoKit remain active with zero VirusTotal detections, according to Resecurity's updated analysis, indicating continued effectiveness despite public disclosure and security research.
How does LogoKit work?
LogoKit embeds the victim's email address directly in phishing URLs using parameters like "phishing-site.com?email=user@target.com," according to RiskIQ (Rapid7) analysis. When the victim clicks the link, JavaScript extracts the email domain (e.g., "target.com" from "user@target.com") and automatically fetches the company logo from Clearbit's logo API or Google's favicon service. This dynamic retrieval means attackers don't need to manually create or embed logos for each target organization—the kit automatically displays the correct logo for whatever domain appears in the victim's email address.
The email address is pre-filled in the username or email field on the phishing page, creating a false sense of prior login or legitimate session. According to Cyble's analysis, this psychological manipulation increases victim trust because the page appears to "recognize" them. After the victim enters their password or other credentials, the kit captures this data via AJAX request and sends it to an attacker-controlled backend server. The AJAX-based exfiltration is harder to detect than traditional form submission because it doesn't require full page reload and may bypass some security monitoring tools.
Following credential capture, LogoKit automatically redirects victims to the legitimate corporate website for the domain extracted from their email address. According to Security Affairs, this redirect serves two purposes: it reduces victim suspicion (they end up at the real site they expected to reach), and it may prevent victims from immediately recognizing they've been phished since the "login" appears to have worked when they arrive at the real site.
The kit's modular JavaScript-based design enables PhaaS deployment, according to Resecurity. Attackers can host LogoKit on compromised websites, legitimate content delivery networks including Firebase, GitHub Pages, and Oracle Cloud, or attacker-owned infrastructure. The flexibility makes it difficult to fully eradicate since takedown of one hosting location doesn't affect instances deployed elsewhere.
LogoKit exploits open redirect vulnerabilities on trusted domains including Snapchat and WeTransfer to hide malicious URLs. According to Resecurity's analysis, attackers route phishing links through these trusted services' redirect capabilities, so the initial URL appears to be from a legitimate domain (snapchat.com/redirect?url=malicious-site.com). This technique bypasses URL-based filtering that trusts the initial domain without analyzing the ultimate destination.
How does LogoKit differ from other phishing kits?
Feature | LogoKit | V3B | GhostFrame |
|---|---|---|---|
Technical Stack | JavaScript (frontend), AJAX | PHP/Golang | HTML/JavaScript |
Logo Handling | Dynamic fetch per-request | Static pre-embedded | Not specified |
MFA/OTP Handling | Basic (no advanced bypass) | PhotoTAN, SmartID support | Advanced iframe technique |
Hosting Flexibility | Compromised sites, CDNs (Firebase, GitHub, Oracle) | Dedicated/leased servers | Not specified |
Detection Signature | High (logo fetching generates logs) | Medium | Low (specifically designed for evasion) |
First Active | ~2021 | Not specified | September 2025 |
Target Focus | General enterprise | Banking institutions | M365/Google Workspace |
Ideal for | Automated targeting of any organization with public logos | Sophisticated banking fraud with MFA bypass | Enterprise cloud service credential theft |
LogoKit's distinguishing feature is the dynamic logo fetching mechanism. According to Security Affairs, this eliminates the need for attackers to manually update logos when target organizations rebrand or when targeting new organizations not previously in their template library. The automation reduces operational overhead and enables LogoKit to target any organization with a publicly accessible logo without preparation.
The lack of advanced multi-factor authentication bypass capabilities limits LogoKit's effectiveness against modern authentication. According to Dark Reading, newer kits like V3B include specific modules for capturing PhotoTAN codes and SmartID authentication used by European banking institutions, while GhostFrame uses sophisticated iframe techniques to capture Microsoft 365 and Google Workspace MFA tokens. LogoKit captures only basic credentials and cannot effectively defeat modern MFA implementations.
Why does LogoKit matter?
LogoKit demonstrates the industrialization of phishing kit development with modular, reusable components. The JavaScript-based architecture and dynamic logo fetching represent engineering thinking applied to cybercrime—solving operational problems (manual logo updates, targeting new organizations) through automation. According to CISO Mag reporting from 2021, the identification of LogoKit on 700+ domains within 30 days indicated widespread adoption suggesting the kit effectively served attacker needs.
The targeting of diverse sectors including government agencies, financial services, logistics, and faith-based organizations illustrates LogoKit's versatility. According to TechNadu, documented targets include Hungary's HunCERT, Kina Bank in Papua New Guinea, and US Catholic Church organizations. This cross-sector targeting demonstrates that LogoKit serves general-purpose phishing needs rather than specializing in particular verticals like banking or cryptocurrency.
The kit's continued activity through 2025 despite first being identified in 2021 indicates successful evasion of comprehensive disruption. According to Resecurity's February 2025 update, domains registered in October 2024 remained active with zero VirusTotal detections four months later, demonstrating that LogoKit's evasion techniques remain effective against many automated detection systems. The longevity suggests attackers find the kit's simplicity and automation valuable enough to continue using it despite public disclosure and security vendor awareness.
The exploitation of legitimate CDNs for hosting creates challenges for defenders. According to Cyble, hosting on Firebase, GitHub Pages, and Oracle Cloud means takedown requests must go through legitimate service providers' abuse processes rather than directly to hosting providers specializing in abuse-friendly infrastructure. The legitimate services may be slower to respond or have higher evidence thresholds for takedown than providers frequently hosting malicious content.
What are LogoKit's limitations?
Logo Fetching Creates Detectable Network Signatures
Requests to Clearbit and Google favicon APIs can be logged and monitored by security tools. According to Resecurity, organizations implementing outbound traffic monitoring can detect unusual patterns of logo API requests originating from phishing pages. Network security tools can flag requests to these services from URLs not matching known legitimate applications or services. The external API dependency means LogoKit phishing pages generate network traffic to third-party services that can be intercepted, logged, and analyzed.
Embedded Email Parameters Create Recognizable Signatures
The URL structure embedding victim email addresses (e.g., "site.com?email=user@company.com") represents a recognizable signature for security teams. According to Dark Reading, email security tools can inspect URLs in messages for embedded email parameters and flag these as suspicious since legitimate services rarely embed complete email addresses in authentication URLs. This pattern is particularly obvious when the domain in the URL doesn't match the domain in the embedded email parameter.
Limited MFA Handling Reduces Effectiveness
LogoKit cannot effectively bypass modern multi-factor authentication schemes, according to Cyble. Organizations requiring hardware security keys (FIDO2/WebAuthn), authenticator apps with push notifications, or advanced authentication flows will be protected even if employees click LogoKit links and attempt to authenticate. The basic credential capture approach limits the kit's utility against security-conscious organizations implementing modern authentication standards.
Open Redirect Exploitation Depends on Service Reputation
The effectiveness of routing through Snapchat, WeTransfer, and similar open redirects depends on these services maintaining security reputation. According to Resecurity, as services fix open redirect vulnerabilities or implement restrictions on redirect destinations, LogoKit's ability to leverage these trusted domains diminishes. Security vendors increasingly analyze redirect chains rather than trusting initial domains, reducing the effectiveness of this evasion technique.
Lack of Advanced Evasion Limits Stealth
LogoKit lacks JavaScript obfuscation and anti-inspection tools found in newer, more sophisticated kits. According to Security Affairs, security researchers can relatively easily analyze LogoKit's JavaScript code to understand its operation, develop signatures, and create detection rules. The straightforward implementation prioritizes ease of deployment and modification over sophisticated evasion, making it more accessible to less-technical attackers but easier for defenders to analyze and counter.
How can organizations defend against LogoKit-style attacks?
API and Network Traffic Monitoring
Organizations should monitor outbound requests to logo fetch services including Clearbit and Google Fonts favicon API. According to Resecurity, implement network monitoring rules to flag unusual patterns of requests to these services, particularly from internal user systems or when requests originate from email-linked pages. DNS filtering solutions can log queries to logo service domains and alert on volume spikes or requests from unexpected source systems. Web proxy logs should be analyzed for traffic patterns indicating phishing page loading, such as JavaScript-initiated API requests to logo services followed by credential submission to unknown domains.
Email Security and URL Inspection
Email security tools should inspect URLs for embedded email parameters, flagging messages where URLs contain email addresses as suspicious. According to Dark Reading, implement policies to warn users when links contain their email address, as this is characteristic of LogoKit and similar phishing kits. AJAX request analysis capabilities in advanced email security solutions can monitor for credential submissions via AJAX to non-standard endpoints, detecting LogoKit's exfiltration method. DNS and proxy filtering should block known LogoKit hosting infrastructure including abused Firebase projects, GitHub Pages repositories, and Oracle Cloud instances documented in threat intelligence feeds.
User Education and Awareness
Training programs should educate users that pre-filled email fields can indicate phishing rather than legitimate prior login sessions. According to Cyble, users should be suspicious when clicking email links leads to login pages with their email already populated, particularly if they don't recall previously logging into that service or if the URL domain doesn't match the expected service. Email security awareness should emphasize that legitimate services typically don't embed email addresses in authentication URLs sent via email. According to Security Affairs, users should examine URLs carefully before clicking, looking for redirect parameters, unusual domains, or email address embedding.
Endpoint and Email Client Security
Deploy endpoint security solutions with behavioral detection capabilities that can identify credential submission to unknown domains. According to Cyble, advanced endpoint protection can flag when browsers submit form data or AJAX requests to domains not matching known legitimate organizational services. Email clients with built-in phishing protection should be configured to scan links before rendering, examining redirect chains and ultimate destinations rather than trusting initial URLs. Firewall rules should block outbound connections from client machines to known LogoKit command-and-control infrastructure documented in threat intelligence feeds.
Threat Intelligence Integration
Organizations should subscribe to threat intelligence feeds tracking LogoKit infrastructure, domains, and indicators of compromise. According to Security Affairs, many antivirus vendors now include LogoKit signatures, so maintaining current security software helps detect known instances. Information sharing through industry ISACs (Information Sharing and Analysis Centers) enables organizations to benefit from LogoKit detections at peer organizations. Report LogoKit phishing attempts to hosting providers (Firebase, GitHub, Oracle Cloud) for abuse investigation and potential takedown. Legitimate services being exploited through open redirects (Snapchat, WeTransfer) should be notified so they can fix vulnerabilities and prevent future abuse.
FAQs
How does LogoKit get the company logo?
LogoKit fetches logos in real-time from Clearbit or Google's favicon API based on the email domain extracted from the phishing URL, according to RiskIQ's analysis. When a victim clicks a link like "phishing-site.com?email=user@company.com," JavaScript on the phishing page extracts "company.com" from the email parameter and queries Clearbit's API or Google's favicon service to retrieve the logo image. This happens dynamically for each victim, so the same phishing page automatically displays the correct logo for whatever organization the victim belongs to without the attacker manually creating separate pages for each target.
Why is the victim's email pre-filled on LogoKit phishing pages?
The pre-filled email creates psychological legitimacy by making victims believe they've previously logged into the service or that the page recognizes them as an authenticated user, according to Cyble's analysis. The email is embedded in the URL parameters by the attacker when sending the phishing message, then retrieved via JavaScript and automatically populated in the login form field. This technique exploits users' familiarity with legitimate services that remember usernames or offer single sign-on experiences where email addresses are pre-populated. Victims are less likely to question the legitimacy of a page that appears to already know their identity.
Can LogoKit bypass multi-factor authentication?
LogoKit was not designed with MFA bypass capabilities, according to Cyble. Victims with modern multi-factor authentication enabled—particularly hardware security keys using FIDO2/WebAuthn standards—are protected because these authentication methods verify the domain of the authentication request. Hardware keys will refuse to authenticate to phishing domains even if they appear identical to legitimate services. App-based MFA (authenticator apps, push notifications) may provide partial protection, though determined attackers could conduct follow-up attacks requesting MFA codes. Organizations relying solely on passwords without any MFA layer face the highest risk.
What organizations should be most concerned about LogoKit?
Government agencies, financial institutions, logistics providers, and any organization with high-profile branding are prime targets, according to TechNadu's analysis of documented LogoKit victims. Organizations with widely recognized logos available through public APIs like Clearbit are easiest for LogoKit to impersonate since logo fetching requires no manual effort. Documented targets include Hungarian CERT organizations, financial institutions like Kina Bank, and faith-based organizations like US Catholic Church entities. Organizations relying primarily on password-based authentication without robust MFA are most vulnerable. Organizations should be particularly concerned if they have large user populations likely to click email links without careful URL verification.
How is LogoKit distributed?
LogoKit can be hosted on compromised websites, legitimate CDNs including Firebase, GitHub Pages, and Oracle Cloud, or attacker-owned infrastructure, according to Resecurity's analysis. The kit's modular JavaScript design enables easy deployment across diverse hosting platforms. Attackers distribute phishing links through email campaigns, compromised accounts that send messages to contacts, social media direct messages, or SMS messages. The flexibility of hosting options makes LogoKit difficult to fully eradicate—takedown of one hosting location doesn't affect instances deployed on other infrastructure. Some attackers purchase LogoKit as part of phishing-as-a-service offerings.
