The Rise of Phishing-as-a-Service: How Cybercriminals are Outsourcing Attacks

Phishing attacks are no longer the domain of elite hackers. With the rise of Phishing-as-a-Service (PhaaS), cybercriminals of all skill levels can now launch sophisticated phishing campaigns with minimal effort. A recent report from Abnormal Security highlights how PhaaS platforms have transformed the cybercrime ecosystem, offering subscription-based services that enable attackers to steal credentials, bypass multi-factor authentication (MFA), and evade traditional security measures.

“Threat actors are constantly advancing their techniques, and phishing-as-a-service platforms exemplify this dangerous innovation,” warns Abnormal Security in its latest analysis.

Phishing-as-a-Service operates much like legitimate Software-as-a-Service (SaaS) platforms. Criminals pay a subscription fee to access pre-built phishing kits, training materials, and automated attack tools. These platforms offer end-to-end management of phishing campaigns, handling everything from email spamming to tracking victim engagement.

According to the report, “Phishing-as-a-service represents a significant shift in how cyberattacks are conducted, offering a cloud-based subscription model that makes launching phishing campaigns accessible to even novice criminals.”

Several PhaaS platforms dominate the underground market, including:

• EvilProxy – Specializes in session hijacking and MFA bypass for Microsoft, Google, Facebook, and GitHub.
• Caffeine (now ONNX) – Offers multiple subscription tiers similar to legitimate SaaS services.
• Greatness and W3LL – Compete by offering dynamic phishing URLs and anti-detection mechanisms.

One of the most alarming capabilities of PhaaS platforms is their ability to bypass MFA protections. Attackers deploy session-hijacking proxies, which intercept login credentials. Victims unknowingly enter their usernames, passwords, and MFA tokens into a fake login page hosted on a convincing but fraudulent domain.

These attacks leverage bot detection and evasion to prevent security researchers from analyzing malicious links. Many PhaaS services even host their phishing proxies behind Cloudflare Turnstile, further concealing their activities.

The rapid growth of PhaaS has created a highly competitive underground market, with vendors constantly innovating to outmaneuver security defenses. The report highlights that, “The constant competition between PhaaS vendors is driving a level of innovation and sophistication not seen in the phishing world a few years ago.”

Some services offer dynamic URL generation, meaning each phishing link is unique. This defeats traditional email security solutions, which rely on threat intelligence databases to block known malicious URLs.

Abnormal Security explains, “Dynamic URL generation means each victim receives a unique phishing URL. This renders traditional threat-intelligence-based email security ineffective as you can’t match the URL against the threat-intel database of known bad URLs.”

With phishing attacks becoming more sophisticated and automated, organizations must take proactive measures to protect themselves.

Related Posts:

• Cybercriminals Leverage Docusign Phishing Templates in Sophisticated Attacks
• Microsoft Takes Down “ONNX” Phishing-as-a-Service Operation
• 2FA Bypass and More: Inside ONNX Store, the Phishing Threat to Your Finances
• Greatness: A Sophisticated New Phishing-as-a-Service Revealed