Examining the quarantined mail on the server revealed some interesting details starting from the mail header itself. These phish kits are archives which just need to be extracted to a compromised server. All a cybercriminal needs to do is edit one of the files in that package and input a mail address where harvested information should be sent to. The twist is not only does the information get sent to the designated email address, but to another cybercriminal as well. Less experienced bad guys might not realize that they re sharing their ill-gotten gains with other, more technically savvy, blackhats.
Source: https://threatpost.com/business-phishing-101309/72250/