For years, phishing was a craft. Threat actors needed to build infrastructure, write convincing lures, craft believable login pages, and handle credential exfiltration manually. Skill was a rate limiter. That rate limiter is largely gone. PhaaS platforms package every component of a phishing campaign — domains, pages, backend relay, exfiltration, evasion, and often customer support — into subscription-based services sold on Telegram and private forums. The buyer needs no technical depth. They configure a target brand, select a tier, and deploy.
The 2025 data makes the scale concrete. Barracuda's threat research team documented a doubling in the number of known PhaaS kits active in the wild during 2025. By year-end, 90% of high-volume phishing campaigns tracked by their analysts were leveraging these ready-made toolchains. Looking forward, Barracuda projects that by the end of 2026, over 90% of all credential compromise attacks will be enabled by phishing kits, accounting for more than 60% of all phishing incidents. This is no longer a niche technique. PhaaS is the dominant delivery mechanism for credential theft at scale.
The PhaaS Business Model
PhaaS operates like a legitimate SaaS business — structurally, at least. Operators develop and maintain the underlying kit, update it to evade new detections, provide infrastructure, and offer support channels. Affiliates subscribe or purchase access, configure campaigns, and execute attacks. Revenue splits, tiered feature access, and Telegram-based customer support are standard. The criminal ecosystem has industrialized.
Pricing is accessible. Tycoon 2FA — one of the dominant AitM kits until its March 2026 takedown — sold 10-day panel access for around $120 and monthly access for roughly $350, with pricing varying by tier. Darcula, the mobile-focused smishing platform, leased its service for $300 to $500 per week with brand templates and SMS gateway integration included. For operators running thousands of campaigns per month, these costs represent margins, not barriers.
A full-featured PhaaS kit generally ships with: high-fidelity brand impersonation templates (Microsoft 365, Gmail, DocuSign, SharePoint and others), a backend relay or credential capture server, stolen data exfiltration via Telegram bot, CAPTCHA gating to filter automated scanners, domain rotation infrastructure, an admin dashboard with real-time logs, and update cycles to stay ahead of detection signatures. Higher-tier kits add AitM proxying for MFA bypass, AI-generated lure customization, and anti-analysis code obfuscation.
The competitive dynamics mirror the legitimate software market. Kit developers race to add features, respond to detection, and undercut rivals on price. When a major platform gets disrupted — as happened with Tycoon 2FA in early 2026 — customers migrate to alternatives within days. The ecosystem absorbs takedowns quickly. Infrastructure is cheap and replaceable. Operators are distributed globally. The playbook for disruption works, but victory is never permanent.
Adversary-in-the-Middle: Why MFA Is No Longer Enough
The defining technical evolution in the PhaaS landscape is the widespread adoption of Adversary-in-the-Middle (AitM) architecture. Traditional phishing kits captured passwords. AitM kits capture authenticated sessions — including the session cookies that persist after MFA has been completed. The difference is significant. A stolen password is worthless against an account protected by MFA. A stolen session cookie bypasses MFA entirely, because the authentication has already happened.
Here is how AitM proxying works in practice. The victim receives a phishing email containing a link to a convincing fake login page. That page is not static HTML — it is a reverse proxy that sits between the victim's browser and the legitimate identity provider. When the victim enters credentials, the proxy relays them to the real service (Microsoft, Google, or others) in real time. The real service responds with an MFA challenge — an SMS code, a push notification, a TOTP prompt. That challenge is displayed to the victim through the proxy. The victim completes it. The real authentication succeeds. The proxy captures the resulting session cookies. The attacker now holds a valid authenticated session and can replay it — often immediately — without ever needing the user's password or MFA token again.
# Simplified AitM flow
victim browser --> attacker proxy server --> legitimate IdP (Microsoft/Google)
[captures credentials] [performs real authentication]
[relays MFA challenge] [issues session cookies]
[captures session cookie]
[returns decoy error page to victim]
# Attacker outcome: valid session cookie, no password needed, MFA is irrelevantSMS-based MFA, TOTP codes (authenticator apps), push notifications, and email-based OTPs are all bypassable by AitM kits. None of these methods are phishing-resistant. The only MFA implementations that resist AitM attacks are those that cryptographically bind authentication to the origin — specifically FIDO2 hardware security keys and passkeys. Implementing MFA without regard to the method is not sufficient protection against current PhaaS tooling.
Once session cookies are captured, they feed into a wider criminal ecosystem. Credentials and session tokens are frequently resold to access brokers, who then monetize the access through business email compromise (BEC), data theft, or ransomware deployment. A single successful AitM campaign can seed multiple follow-on attacks across multiple organizations. The initial phishing is the entry point; the ecosystem does the rest.
Notable Kits: The 2025–2026 Cohort
The PhaaS market entering 2026 splits roughly into established incumbents — large-scale platforms that have been active for years and continue to evolve — and a new generation of kits that emerged in 2025 with a focus on stealth, obfuscation, and anti-analysis over raw volume. Both categories are dangerous. Neither is declining.
Disrupted March 2026 (Europol / Microsoft / Trend Micro operation). Attributed to operator "SaaadFridi." Active August 2023 – March 2026.
Reached over 500,000 organizations per month at peak. Microsoft blocked 13M+ malicious emails tied to it in October 2025 alone. Linked to over 64,000 incidents annually.
Synchronous reverse proxy relaying credentials and MFA tokens in real time to Microsoft or Google. CAPTCHA gating, dynamic subdomain rotation, session cookie capture.
Active and surging. Close to 10 million attacks observed in late 2025 alone. One of the highest-volume kits currently in the wild.
AitM session cookie harvesting targeting Microsoft 365. Known for continued evolution and resilience despite detection efforts.
Active 2025. More selective and targeted than Tycoon — emphasis on low-detection, high-quality campaigns over volume.
Direct Microsoft API interaction to validate captured credentials in real time. Browser-in-the-browser (BitB) fake login windows. Bot and sandbox evasion. Victims redirected to Microsoft-related pages after credential capture to reduce suspicion.
First observed September 2025. Over 1 million attacks linked to date. Rapidly expanding.
Entire phishing framework built around iframe embedding — malicious content is hidden inside iframes loaded from dynamically generated subdomains that rotate per-session. Phishing forms delivered via blob-based image streaming, bypassing static content scanners. Outer HTML appears harmless to analysis tools.
Active 2024–present. Stole 884,000 credit card details through 13 million fraudulent clicks across 100+ countries. Suite 3.0 introduced DIY kit generation.
Mobile-first smishing via iMessage and RCS. Blocks desktop traffic. Darcula Suite 3.0 allows operators to generate phishing kits targeting any brand by entering a URL — Puppeteer auto-clones the target site's HTML, CSS, and JS. Network of 600+ operators, 20,000+ registered domains.
Emerged Q1 2026. Identified by KnowBe4 Threat Labs. Evolution from a former commercial Trojan/info-stealer codebase.
Decoupled architecture with decentralized exfiltration via Telegram — designed to survive infrastructure takedowns. Multi-vector campaign support. Targeting diverse sectors globally in early campaigns.
Whisper 2FA
Whisper 2FA represents a different design philosophy than the large AitM platforms. It is lightweight and optimized for fast deployment rather than operational scale. It uses AJAX-based credential and MFA token exfiltration, avoiding the heavier reverse proxy infrastructure that makes platforms like Tycoon more detectable. Anti-analysis protections include Base64 plus XOR obfuscation layered with anti-debugging traps and script-level inspection blocks. MFA bypass is handled via a Base64-encoded list of supported methods covering push notifications, SMS, voice calls, and TOTP codes. The simplicity is the point — lower operational footprint, faster deployment, harder to fingerprint.
CoGUI
CoGUI operates in a distinct niche. Associated primarily with Chinese-speaking threat actors, it employs geofencing, header fencing, and device fingerprinting to ensure phishing pages only render for intended victims. Automated scanners and sandbox environments get redirected or served blank pages. Notably, CoGUI does not target MFA credentials — its focus is on impersonating consumer platforms (Amazon, PayPal, Rakuten, Apple) to harvest payment and account data. The evasion sophistication is high; the credential scope is narrower than the enterprise-focused AitM kits.
Evasion Techniques in 2025–2026
Modern PhaaS kits don't just deliver phishing pages — they invest heavily in not being detected while doing so. The 2025 cohort introduced several evasion techniques that collectively raise the bar for defenders relying on static analysis, signature matching, or URL reputation databases.
CAPTCHA gating appeared in 43% of phishing kit attacks tracked in 2025. It functions as a scanner filter: automated security tools that follow links fail the CAPTCHA challenge and see an error or redirect rather than the phishing content. Real humans pass and see the actual lure. Some kits have moved beyond standard CAPTCHA to custom challenges — Tycoon 2FA shifted to icon-matching CAPTCHA variants in 2025 to avoid signature detection of known CAPTCHA libraries.
Dynamic subdomain rotation makes static blocklists ineffective. GhostFrame generates a unique subdomain per victim session and rotates subdomains during active sessions. Tycoon 2FA's domain infrastructure evolved from high-entropy random strings to recognizable vocabulary words (cloud, desktop, zendesk, sharepoint) to evade detection models that score entropy. Subdomains become stale faster than blocklist updates can track them.
URL obfuscation featured in 48% of attacks in 2025. Techniques include open redirects through marketing and tracking link services, multi-hop URL chains, and the abuse of legitimate URL-protection services to make malicious links appear credentialed. Around 25% of 2025 phishing attacks exploited URL masking through these methods.
Blob URI delivery — used prominently by GhostFrame — encodes phishing content inside binary large object URIs rendered entirely in the browser. The phishing form never appears as a URL in the page source in the way traditional scanners expect to find it. It exists transiently in memory, loaded from a streaming data source, and leaves no static footprint for content scanners to match against.
Malicious QR codes appeared in roughly 20% of 2025 attacks and are rising. QR codes in emails bypass link-scanning controls because the URL is embedded in an image, not visible as text. Victims who scan on mobile devices move the session away from corporate endpoint controls entirely — bypassing VPN, endpoint detection agents, and network filtering. APWG tracked 716,306 unique malicious QR codes in Q3 2025 alone, up 13% quarter-over-quarter. QR code delivery is now a standard feature in emerging PhaaS kits.
Code-level obfuscation has become table stakes. New kits deploy multi-layer techniques — code minification, Base64 encoding, XOR encryption, anti-debugging JavaScript traps, right-click disabling, and text-copy prevention — specifically to slow down reverse engineering by defenders and researchers. Some kits detect headless browsers or known analysis infrastructure and serve clean pages on detection.
Lure Themes: Familiar but Sharper
Despite dramatic advances in kit infrastructure, the lure themes themselves remain recognizable. This is deliberate. These themes work because they trigger genuine responses — urgency, authority, professional obligation — regardless of how technically sophisticated the recipient is. The innovation in 2025 was not in the theme categories but in how convincingly they are executed.
Payment and invoice fraud accounted for approximately one in five phishing emails in 2025. Digital signature and document review lures (impersonating DocuSign, Adobe Sign, SharePoint) made up 18%. HR-related themes — benefits changes, payroll updates, employee handbooks — accounted for 13%, continuing to be effective because they combine urgency with professional context. Financial and legal document lures rounded out the top categories.
AI is already reshaping lure quality. GenAI is being used to eliminate linguistic tells that previously helped recipients identify phishing — grammatical errors, awkward phrasing, implausible sender context. Kits with AI integration can generate personalized lures referencing real projects, internal deadlines, and colleague names drawn from open sources or prior compromise. Account hijacking — where attackers insert themselves into live email threads — applies GenAI to make injected messages indistinguishable from the ongoing conversation. "Spray and pray" is giving way to precision spear-phishing at scale.
Defensive Posture for 2026
The controls that worked well five years ago are not adequate against current PhaaS tooling. Static URL blocklists, signature-based email filtering, and standard TOTP-based MFA are all subject to active bypass by commodity kits. This does not mean they should be abandoned — defense in depth still applies — but it means no single control can be treated as a reliable last line.
- Move to phishing-resistant MFA: FIDO2 security keys (hardware tokens), passkeys, and Windows Hello for Business cryptographically bind authentication to the legitimate origin. A phishing proxy cannot relay these because the authentication is origin-bound — the challenge signed at the attacker's domain fails verification against the legitimate service. This is the single highest-impact control against AitM kit techniques.
- Shorten session lifetimes and harden token policies: Stolen session cookies lose value faster when sessions expire quickly and re-authentication is required for sensitive operations. Conditional access policies that require device compliance verification disrupt cookie replay attacks — an attacker replaying a session cookie from an unmanaged device will fail compliance checks even with a valid token.
- Treat QR codes as first-class indicators: Email security tools should be configured to extract and analyze URLs embedded in QR code images. Security awareness training should address QR scanning explicitly — the shift of a session to a mobile device is a deliberate attacker tactic to escape corporate endpoint controls.
- Hunt for post-authentication anomalies: AitM attacks leave traces not in the phishing delivery but in what happens immediately after compromise. Unusual sign-in locations or ASNs for a given user, MFA method modifications, creation of mailbox forwarding rules, access to SSO-connected applications from unusual user agents, and bulk email access within minutes of authentication are all indicators of AitM-based account takeover worth hunting for proactively.
- Disable external mailbox auto-forwarding at the tenant level: A common immediate action after AitM compromise is establishing persistent email forwarding to attacker-controlled addresses. Disabling automatic forwarding to external domains by policy removes a key post-compromise persistence mechanism across all users.
- Monitor for dynamic subdomain and short-lived domain infrastructure: Domain reputation lookups against aged, categorized domains miss freshly registered or rotated infrastructure. Detection logic should weight newly registered domains and randomized or high-entropy subdomain patterns in link analysis, even when parent domains appear legitimate.
The broader structural challenge is that PhaaS has decoupled attack sophistication from attacker skill. Tools that required nation-state-level operational capability five years ago are now available via Telegram subscription. Defenders are no longer facing individual skilled adversaries — they are facing a scalable industry with development teams, versioned releases, and customer support. The defensive response needs to match that reality: layered, automated, and focused on behavioral detection rather than static signatures.