The rise of PhaaS: what businesses should know

Phishing is a simple tactic, but it works. It’s therefore no surprise that phishing as a service (PhaaS) – which allows adversaries to perform the attacks at scale – is on the rise.

The number of known PhaaS kits doubled last year, according to new research. Across the year, 90% of high-volume phishing campaigns leveraged PhaaS kits, researchers at Barracuda found. The new kits are sophisticated, evasive and stealthy.

Which PhaaS kits should firms know about, and how can businesses avoid being caught out by phishing attacks?

PhaaS kits

The fast-growing availability of PhaaS kits gives cybercriminals with limited technical capabilities the means to breach companies. Using PhaaS kits, the volume of attacks adversaries are able to deliver is “astounding”, says Harry Mason, head of client services at Mason Infotech.

Of the notable kits now available, he calls out GhostFrame, which creates an invisible iframe on webpages to hide malicious activity. “By the time this was discovered in December, it had already been used in over a million attacks.”

Tycoon 2FA and Typhoon are also prominent examples of PhaaS. Other kits include Quantum Route Redirect, which steals Microsoft 365 credentials, and Whisper 2FA that steals multi-factor authentication (MFA) codes in real time.

Another prominent kit is Greatness, which targets Microsoft 365 credentials through adversary-in-the-middle techniques.

A new phishing kit named Spiderman, identified in December 2025, targets customers of major European banks. It works via fraudulent login pages that “perfectly mimic” legitimate financial institutions to steal login credentials, according to Matt Hull, global head of threat intelligence at NCC Group.

At the same time, an adversary-in-the-middle platform named Mamba 2FA has grown in popularity. Hull says Mamba 2FA has been on the rise since late 2023 and is noted for its operational efficiency.

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, highlights EvilProxy as a kit that bypasses MFA using reverse-proxy methods. “These platforms provide customer support for cybercriminals, as well as comprehensive dashboards, automated credential harvesting and real-time victim tracking,” he says.

The sale and distribution of PhaaS offerings typically takes place through Telegram channels and private groups, says Hull. “This allows PhaaS operators to share updates and set up user-friendly cryptocurrency payment systems using automated bots.”

Stealing credentials

PhaaS kits are primarily used to steal credentials and hijack authenticated sessions, allowing attackers to take over email, cloud and business systems. “While often framed as ‘email phishing’, the real impact is account compromise, which can lead to business email compromise, financial fraud, data theft – and in some cases ransomware access,” Hull says.

Increasingly, PhaaS is being deployed for initial access operations, where stolen credentials are sold to ransomware groups. “Alternatively, these credentials can be used to establish persistent access within corporate networks,” adds Curran.

MFA bypass has become a standard feature, with kits employing adversary-in-the-middle techniques to intercept one-time codes in real-time, he tells ITPro.

PhaaS is also becoming part of supply chain attacks, where compromised vendor credentials provide entry points into multiple downstream organizations, according to Curran. “Session hijacking capabilities allow attackers to maintain access even after passwords are changed.”

PhaaS targets

No one is immune from the cybercriminals harnessing PhaaS. Experts say phishing attacks can impact any firm, regardless of size.

There's a common misconception, especially among SMBs, that they’re “not big or important enough to be a phishing target”, says Christophe Tafani-Dereeper, staff cloud security researcher and advocate at Datadog. “But in our experience, phishing attacks are ubiquitous, targeting organizations at almost every level. Nearly everyone will receive one at some point.”

PhaaS kits are “indiscriminate by design”, agrees Curran. Yet he acknowledges that some sectors face an increased risk. For example, healthcare and professional services firms are prime targets due to their valuable data and transaction capabilities.

At the same time, the subscription model of PhaaS means attackers can maintain campaigns across multiple sectors simultaneously, testing social engineering approaches until they find a successful method. “Any organization with an online presence and valuable data or financial access is now within reach of these industrialised phishing operations,” Curran warns.

PhaaS evolution

In the future, phishing attacks will become even easier for criminals as PhaaS platforms are supercharged by technology such as AI.

Cybercriminals are already leveraging AI to hide their phishing websites, says Tafani-Dereeper. “When someone who's not a targeted victim visits the phishing website, they are shown a legitimate-looking page masquerading as a local business,” he explains. “We've seen dozens of variations across a large number of domains, which makes us believe this is tied to one or multiple PhaaS platforms.”

Further down the line, Curran predicts AI-generated content that adapts in real-time based on victim interactions. “This would be able to create convincing conversational phishing attempts via multiple channels simultaneously.”

He thinks deepfake technology will be used more widely, allowing attackers to impersonate individuals through voice and video with “alarming authenticity”.

In the PhaaS industry itself, Mason predicts the same kind of developments seen in SaaS markets: “An introduction of 'tiered' subscriptions for kits, better customer service and, in some areas, planned obsolescence to make the act of committing cybercrime more expensive.”

The business model could also shift towards profit sharing arrangements rather than subscriptions, aligning incentives between kit developers and attackers, he adds. “Integration with other criminal services such as automated money laundering and ransomware deployment will create comprehensive ‘attack-as-a-service’ ecosystems.”

Business action

Stealthy and sophisticated PhaaS kits pose a growing threat, but experts say the solution is fairly simple: a combination of technical and human-centric security measures.

As a foundational defense, Tafani-Dereeper recommends implementing “phishing-resistant authentication methods” in critical systems such as Microsoft 365 or Google Workspace.

For example, Microsoft Entra ID passkeys and Google Workspace passkeys will help to enhance security and “make the user experience more seamless”, he says.

Alongside this, regular employee training is essential. Rather than focusing on the area once a year, ongoing simulations using current PhaaS tactics should be used to build genuine recognition skills, Curran advises. “Ultimately, organizations must recognize that technical defences alone are insufficient against industrialised social engineering. Building a security-conscious culture is equally critical.”