The number of known Phishing as a Service (PhaaS) kits doubled last year, according to new research, with enterprises warned about a looming onslaught of social engineering attacks in 2026 and beyond.
Across the year, 90% of high-volume phishing campaigns leveraged PhaaS kits, researchers at Barracuda found. These make it easier for lower-level cyber criminals to access advanced tools to wage large-scale attacks.
The new kits are sophisticated, evasive, and stealthy, Barracuda noted, with Whisper 2FA and GhostFrame introducing inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code.
Established groups in this space, such as Mamba and Tycoon, continued to evolve and thrive. Each kit was behind millions of attacks, with 10 million Mamba 2FA attacks in late 2025 alone.
The main tools were multi-factor authentication (MFA) bypass and URL obfuscation techniques, both seen in 48% of attacks. Attackers also added open redirects and human verification steps, making phishing URLs appear authentic and harder to block.
Polymorphic techniques and the use of malicious QR codes were each seen in around 20% of attacks, and malicious attachments in 18%.
Crucially, researchers warned attackers have now begun splitting QR codes into multiple images or nesting malicious codes within or around legitimate ones to evade detection by email security tools.
“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” said Ashok, Sakthivel, director of software engineering at Barracuda.
Phishing lures remain largely unchanged
While techniques may have evolved, the main phishing lures have remained broadly the same – fake payments, financial, legal, digital signature, and HR-related messages.
One-in-five emails related to payment and invoices scams, the Barracuda study found. Digital signature and document review emails accounted for 18% of attacks, with HR-related documents featuring in 13%.
Many exploited trusted brand names, mimicking websites and logos, including Microsoft, DocuSign, and SharePoint with increasing accuracy.
New kits include Sneaky 2FA, an advanced phishing kit leveraging adversary-in-the-middle (AitM) techniques to bypass two-factor authentication, and CoGUI, a sophisticated kit designed with advanced evasion and anti-detection capabilities.
The latter of these is commonly used by Chinese-speaking threat actors, Barracuda noted.
“The kits feature techniques designed to make it harder for users and security teams to detect and prevent fraud," said Sakthivel.
"To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy.”
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
In the age of all-in-one platforms, how can partners avoid becoming interchangeable?
Hacker offering US engineering firm data online after alleged breach
