Outsider Enterprise dismantled: urgent need for phishing‑resistant FIDO2 MFA

On June 12–15, 2026, the FBI, Google, and Black Lotus Labs dismantled “Outsider Enterprise,” a phishing‑as‑a‑service platform that spawned >9,000 sites and over 1 million URLs, tied to 3.87M stolen cards and ≈$1.9B in losses. Here is how phishing‑resistant MFA (FIDO2/WebAuthn) satisfies GDPR Article 32 and blocks initial access.

What happened

Between June 12 and 15, 2026, Google announced legal action and a joint operation with the FBI and Lumen/Black Lotus Labs against a phishing‑as‑a‑service (PhaaS) network named “Outsider Enterprise.” The service industrialized brand impersonation through SMS (smishing) and fake login pages, leveraging AI models and over 290 ready‑made templates. Takedown actions seized admin servers, a test Shopify store, about 100,000 USDT, and a Telegram bot, redirecting “thousands” of domains to an FBI notice page. Reported totals: over 1 million malicious links, >9,000 sites, and at least 3.87 million stolen payment cards for ≈$1.9 billion in losses since 2023. BleepingComputer, June 14, 2026; TechCrunch, June 12, 2026; Google Blog, June 12, 2026.

Active, concrete threat: publicly observable IOCs include seized and redirected phishing domains (detection indicator for web/DNS gateways), kit/template URLs hosted with US providers, and infrastructure fingerprints tied to the Telegram bot and admin servers (see details and visuals in cited articles). Recent campaigns spoofed Google, telecom operators (AT&T, T‑Mobile, Verizon), and banks, with real‑time capture of passwords and MFA codes by relaying to the legitimate provider page — a classic bypass of OTP/TOTP and push. Source; Source.

The applicable legal framework

• GDPR — Article 32: requires “appropriate technical and organizational measures” to ensure a level of security appropriate to risk, including confidentiality and integrity, plus regular effectiveness assessments. Risk‑appropriate MFA is expected to reduce unauthorized access via phishing. Text: EUR‑Lex — Art. 32. See also security of processing under GDPR.
• NIS 2 — Article 21(2)(j) (relevant for “essential/important” entities in LU/BE/FR/DE/EU): use of multi‑factor or continuous authentication and secured communications. Text: EUR‑Lex — NIS 2 Art. 21. For the EU scope, review NIS 2 obligations for essential entities.

In short: if your users can be lured by an SMS/email to a fake page, then under Article 32 and, where applicable, NIS 2 Art. 21, regulators expect phishing‑resistant authentication and evidence that it is effectively deployed where risk is high (cloud access, administrators, finance, CRM, VPN, etc.).

The technical solution: phishing‑resistant MFA (FIDO2/WebAuthn)

Goal: make credentials and codes intercepted by PhaaS kits like Outsider Enterprise technically unusable.

How it works:

• FIDO2/WebAuthn (hardware security keys or device‑bound passkeys) performs public‑key authentication bound to the domain (origin binding). A phishing site cannot reuse the cryptographic response because the challenge‑response is sealed to the real domain (e.g., login.microsoftonline.com) and the user’s device.
• No reusable secret: no password, no OTP to type; nothing to “read” in clear on a fake page or to relay in real time.
• Reference standards: ISO/IEC 27001:2022 Annex A (5.15 Access control, 5.17 Authentication information), CIS Controls v8 (6.3/6.7: MFA for remote access, admins, and SaaS), NIST SP 800‑63B (AAL2/3, phishing‑resistant).

In practice:

• IdP/SSO (Microsoft Entra ID, Okta, Keycloak, etc.): enable “FIDO2 Security Keys” and/or “passkeys,” require WebAuthn on sensitive resources, and progressively disable SMS/voice/TOTP.
• Conditional: “phishing‑resistant MFA” policies for administrators, finance, HR, VPN, then extend to critical apps (SaaS and federated on‑prem).
• Revocation & recovery: two FIDO2 factors per user (hardware key + platform passkey), a recovery kit, and supervised enrollment to avoid “orphaned” accounts.

How Luxgap deploys this

• Our ISO 27001 governance: framing “Article 32/NIS 2 Art. 21” by business line: mapping processing and high‑risk accounts, defining the “phishing‑resistant MFA” policy, and producing auditor‑ready evidence (logs, enrollment rates, testing).
• Our outsourced DPOs and CISOs: security impact analysis (required AAL by scope), updates to IAM policies, processing registers, and contractual clauses (processor access), aligned with GDPR/NIS 2. For execution, leverage our outsourced CISOs.
• Our managed SOC: ingest FIDO2/WebAuthn authentication signals (success/failure, origin, non‑WebAuthn attempts) into the SIEM, correlate with smishing and brand‑new domains detections, and trigger real‑time bypass alerts. See our managed SOC service.

Practically, we follow four sprints: (1) assess active factors (where OTP persists); (2) run a FIDO2 pilot on a critical perimeter (admins + treasury) with hardware keys and passkeys; (3) scale by app/business unit; (4) retire “phishable” factors and switch SOC playbooks.

Real‑world case in Luxembourg or the EU

A Luxembourg financial firm subject to NIS 2 and CSSF circular 22/806 faced waves of smishing targeting its client portals. In six weeks we: (i) enforced WebAuthn/FIDO2 for administrators and treasury; (ii) migrated internal access to passkeys bound to managed laptops; (iii) disabled SMS/TOTP on financially impactful apps; (iv) integrated authentication logs into the SOC. Result: no account takeovers during subsequent campaigns (relayed OTP attempts failed by design), and an audit pack ready to demonstrate adequacy under Article 32 and, for NIS 2, Article 21(2)(j).

First concrete steps

1. Map your factors: list apps still relying on SMS/voice/TOTP this week. Prioritize admins, finance, HR, VPN, CRM/ERP, email, and critical SaaS.
2. Enable FIDO2/WebAuthn in your IdP (Entra ID/Okta) for a pilot group of admins + one sensitive BU. Provide 2 methods per person (key + passkey) and a recovery channel.
3. Block weak fallbacks: disallow OTP/SMS as backup on the pilot scope. PhaaS kits specifically capture these codes.
4. Monitor: send authentication logs (method, origin, WebAuthn failure) to the SIEM. Blocklist seized domains redirected to the FBI notice observed by your proxies/DNS, ideally via a managed detection service.
5. Train and communicate: 30 minutes of targeted “smishing” e‑learning for at‑risk teams, concrete examples, and one‑click reporting. Rely on cyber awareness programs.

Official sources

• BleepingComputer — FBI disrupts massive AI‑powered phishing service using a million URLs (June 14, 2026)
• TechCrunch — Google sues “Outsider Enterprise” (June 12, 2026)
• Google — How we fight AI scams and the “Outsider Enterprise” takedown (June 12, 2026)
• EUR‑Lex — GDPR, Article 32: security of processing
• EUR‑Lex — NIS 2, Article 21(2)(j): MFA/secure communications

Key message for leadership in Luxembourg, Belgium, France, Germany, and across the EU: with PhaaS kits able to capture passwords and OTPs in real time, phishing‑resistant MFA (FIDO2/WebAuthn) is no longer a “nice to have” — it is the “appropriate” measure required by GDPR Article 32 and explicitly expected by NIS 2. “Here’s what just happened; here’s how to prevent it.”