Phishing-as-a-Service: How it fuels today’s cyber attacks

According to the 2023 Comcast Business Cybersecurity Threat Report, 80% to 95% of cyber threats start with a phishing attack. Cybercriminals rely on phishing as an entry point to valuable and sensitive data. The recent numbers suggest that it continues to be one of the most expensive and persuasive email threats. Starting with a simple email that uses deceptive techniques, such as username impersonation, domain impersonation, and persuasive language to get the recipient to trust the email, the threat actor drives the attack to attain their motive. 

While some cybercriminals do their groundwork to launch a threat, that's not the case with all threat actors. Instead of putting in their own work, some lesser-skilled cybercriminals turn to the dark web to gather information that will help them launch a successful attack. To equip these cybercriminals, expert threat actors provide Phishing-as-a-Service (PhaaS). The kits they provide enable other criminals to impersonate companies and launch attacks. 

Organizations and security admins across the globe need to understand these evolving models to handle them efficiently and protect their data. In this article, we'll explore what PhaaS is, how it works, its impact on the current cyber threat landscape, and how organizations can protect themselves from it. 

What is phishing?

Phishing is a cyberattack in which threat actors use deceptive techniques to extract sensitive information, such as account credentials, financial data, credit card numbers, or other personally identifiable information (PII) from unassuming recipients. Threat actors further propagate attacks using the information they extract or steal data, such as social security numbers or credit card numbers, to misuse identities or conduct financial transactions using them. 

Phishing attacks have been around for decades now. However, the nature of these attacks is consistently evolving. Emails that began with bad grammar and incorrect spelling, with zero to minimal research into their targets, have now morphed into sophisticated AI-generated emails with in-depth research on their target organizations and individuals.

What is Phishing-as-a-Service?

Cybercriminals are increasingly turning to simpler ways of carrying out these attacks. To equip other threat actors with the material needed to launch attacks, experts are providing it as a service on the dark web. 

PhaaS is a subscription-based cybercrime model that provides everything a threat actor needs to launch sophisticated cyberattacks and get results. It provides all of the necessary data through a phishing kit. The kit usually contains official email addresses, stolen credentials or credit card numbers, phishing email templates with commonly used company logos, fake attachments, and other such data. 

How does PhaaS work?

PhaaS works based on a subscription model just like any other online service offered on the internet. Skilled cybercriminals who are usually field experts put together a kit that contains all of the necessary tools and materials that are required to launch a phishing attack. These kits used to be available on the dark web, but they're now being sneaked into other places on the internet. 

These kits are purchased mostly by other threat actors who are looking to get their hands on ready-to-use phishing materials but don't have the sufficient expertise to craft sneaky emails or genuine-looking websites. These kits are often available starting as low as $40 to increase the scale and volume of purchases. 

Apart from one-time purchases, PhaaS also provides subscription-based models with different tiers. The higher tiers offer advanced tools and resources to facilitate the attack. Like every other online service, PhaaS vendors also provide discounts and use marketing as an aid to drive sales. 

What does a phishing kit include?

Typically, phishing kits include all of the information a threat actor may need to launch a phishing campaign.

• Email templates that emulate the content, logos, and design followed by popular brands such as Amazon, Microsoft, Dropbox, and others.
• A list of email addresses that can be targeted using the email. This may include both organizational and personal addresses based on the context.
• Website templates to build a legitimate-looking website of the company they're impersonating.
• Bulk email sending systems to launch the phishing attack at a large scale.
• Dashboards and analytics to gain quick insights about the victims of the attack, click-through rates, and the phished information.
• Updates and enhancements for subscription-based models to ensure that the threat actors have access to newer attack methods.
• Continuous support and monitoring of the campaign and help regarding the kit in case their clients are facing technical issues.
• Servers and other infrastructure to host the fake website without leaving a trace.

In certain cases, the PhaaS vendor also sets up workflows to ensure that they get a copy of the information that their client has phished. This helps them build more kits that they can position differently and attract newer clientele. 

How does PhaaS help cybercriminals?

PhaaS platforms provide clear advantages that fuel cybercriminals' operations. Let's go through some of the ways in which it helps criminals.

Aids with attacks at scale

PhaaS lets criminals launch thousands of phishing emails or websites in minutes. The automation built into these kits means campaigns can target multiple organizations or geographies simultaneously, dramatically increasing their reach.

Lowers barrier to entry

Even individuals with no technical expertise can become attackers. PhaaS kits are pre-built, subscription-based, and often come with tutorials, making phishing campaigns accessible to anyone with intent, not just skilled hackers.

Reduces risk

Because PhaaS providers handle much of the technical setup and hosting, attackers avoid leaving digital fingerprints that could be traced back to them. This anonymity lowers the chance of exposure or prosecution.

Offers customization options

Many PhaaS kits allow criminals to tailor phishing pages, mimic specific brands, or tweak campaigns to suit their targets. This customization makes attacks more convincing and boosts the likelihood of success.

Ability to bypass security filters

Advanced PhaaS platforms integrate techniques like CAPTCHA challenges, obfuscation, or reverse proxies. These tools help criminals evade detection by standard email security filters, ensuring that their phishing emails land in victims’ inboxes.

Famous PhaaS platforms

Several PhaaS platforms have gained notoriety for their advanced tactics. Some of them are:

Tycoon 2FA: Their phishing kit bypasses MFA by intercepting session cookies, enabling attackers to hijack accounts and access sensitive systems without needing users’ second authentication factor.

EvilProxy: EvilProxy is a widely known PhaaS platform that offers reverse proxy-based phishing kits. It helps attackers steal credentials and bypass MFA for popular brands such as Google, Microsoft, and Apple.

Sneaky 2FA: Sneaky 2FA is a phishing kit designed to trick users into entering login credentials and authentication codes. It uses proxy techniques to capture both, allowing seamless account takeover by cybercriminals.

The impact of PhaaS on the threat landscape

PhaaS has led to a significant increase in phishing attacks. Let's take a look at some of the other ways in which PhaaS is affecting the cyber threat landscape. 

Increased volume of cyberattacks

PhaaS has industrialized phishing, leading to a drastic increase in attack volume. With kits and subscription models, attackers can launch hundreds of campaigns simultaneously, targeting millions of inboxes worldwide. Barracuda reported that PhaaS operations fueled more than one million phishing attempts over just two months in 2025, highlighting how low-cost scalability is reshaping the threat environment. For defenders, this means facing not just occasional threats but a constant inflow of malicious emails.

Rapid evolution of techniques

PhaaS has accelerated the attack cycle. Where once attackers relied on crude, text-heavy emails, today’s kits incorporate AI-driven lures, cloned websites, and novel payloads like SVG or quishing. Criminal groups continuously update their kits, rolling out new evasion tricks almost as fast as defenders can adapt. This rapid evolution ensures that phishing campaigns feel convincing, exploiting the latest trends and vulnerabilities before organizations have time to strengthen their defenses.

Sophisticated bypass tactics

Modern PhaaS offerings include advanced techniques designed to slip past security filters. Attackers use obfuscated code, CAPTCHA challenges, and reverse proxy tools to bypass MFA. Many kits are built to evade DMARC and SPF checks, rendering traditional email security less effective. This sophistication allows even novice cybercriminals to deploy attacks that appear highly legitimate, forcing organizations to confront seemingly genuine business communications.

Diverse target profile

The availability of PhaaS has broadened the target landscape beyond high-profile corporations. Small and medium-sized businesses, educational institutions, and even nonprofits are now frequent victims because attackers no longer need to focus solely on high-reward targets. This democratization of phishing risk means no sector or geography can feel safe anymore.

Increased detection and recovery time

Because PhaaS campaigns are more convincing and technically advanced, organizations often take longer to detect and contain them. Attackers exploit this delay to harvest credentials, conduct lateral movement, or sell access on underground markets. Studies show it can take nearly three months on average to remediate exposed credentials, giving adversaries a dangerous window of opportunity. 

Key strategies to protect your organization

Phishing attacks created using AI and PhaaS tools may not always be visible to the human eye. However, there are certain key strategies that every organization can implement to ensure that their business and employees stay protected. 

Improve employee awareness

Humans are always the first line of defense in a company. They should be well-equipped to handle any email threat that comes in. This doesn't just mean spotting the threat and avoiding engaging with it. It also extends to alerting the organization's admins and taking all of the necessary measures to ensure that other employees who may have received similar emails are informed. 

For employees to be aware of the right protocol to follow in such situations and to be able to identify a suspicious email, they need to be trained efficiently. Conduct periodic security awareness trainings in which users attend structured workshops to gain knowledge about the most recent email threats and how to spot them. Phishing simulation exercises are also a must because they help admins identify users who are not cyber aware and conduct additional trainings accordingly. 

While these trainings will help users be more aware, it's important for organizations to build a security-first culture. Following a top-down approach in ensuring secure emailing practices goes a long way in building a well-rounded approach.

Always verify the sender

The most common indicator of phishing emails is a mismatch in the sender details. Always check the username and domain address before you engage with any email. This even goes for emails that don't look suspicious because threat actors may hijack conversations in an account takeover. Educate your users to check if the username matches the email address of the sender. It's also vital to check to make sure the sender domain doesn't have any spelling errors. Lookalike domains of famous domains are often used in phishing attempts and are often misspelled.

Enforce strong access controls

It's important to follow a zero-trust architecture and enforce role-based access controls (RBAC) across your organization. This way, only the employees who need access to certain data will have it, and you can ensure that it doesn't end up in the wrong hands. Adopt the principle of least privilege and ensure that for every sensitive action, multiple levels of approval need to be done. With these measures in place, high-value money transfers or wrongful sharing of sensitive information can be avoided. 

Ensure that your organization's users have MFA enabled for all of their accounts. This way, even if a threat actor gains access to their credentials, this additional layer of security can prevent them from accessing data. 

Ensure that security leaders are aware

Form a strong cybersecurity team to take care of your organization's security needs. They should work from the ground up, finding the existing gaps in your company's security systems and making amends as required. They should pick the right security solutions for your email, endpoints, and network, ensuring a well-rounded approach. Your organization's security leaders must keep up with the current cyber threat trends as well as phishing or malware marketplaces on the dark web and be an active part of educating employees about these trends. 

By staying updated on PhaaS and Ransomware-as-a-Service (RaaS) tools, your cybersecurity team can ensure that your company's data isn't leaked anywhere and contribute towards taking measures to ensure that your company doesn't fall prey to cybercriminals.

Follow a multi-layered security approach

While many essential steps can be taken by an organization's security leaders and employees, it's not possible for every threat to be spotted by the human eye. It's critical to follow a multi-layered security approach. By ensuring scanning and monitoring at every level of the email delivery process, the software can check for emails' legitimacy at the connection level, content level, and by scanning the email sender details for any anomalies and previous patterns. 

These measures, combined with post-delivery scanning and checks, ensures that an email is safe for an employee to engage with. 

Check out our detailed guide on spotting phishing emails.

Wrapping up

Phishing has always been one of the most effective weapons in a cybercriminal’s arsenal, but the rise of PhaaS has taken it to a whole new level. By lowering the barrier to entry and industrializing the attack process, PhaaS has made sophisticated phishing campaigns accessible to anyone with malicious intent. 

This makes it evident that traditional defenses are no longer enough. Combating PhaaS requires a layered approach that combines advanced email security technologies with strong authentication, continuous monitoring, and a culture of security awareness across the workforce. Cybercriminals have professionalized their operations, and it's high time our defense follows the same approach.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.