Phishing as a service platforms used by threat actors
A cybercrime business model where attackers pay for ready-made phishing kits, hosting, and infrastructure.
The goal is to simplify phishing attacks for less-skilled criminals by providing templates, automation tools, and even customer support.
Phishing-as-a-Service (PhaaS) platforms are essentially subscription-based services that allow cybercriminals to launch phishing campaigns without needing deep technical expertise.
Most known Phishing-as-a-service platforms used by threat actors PhaaS:
- Quantum Route Redirect
Active in 90 countries, with 76% of attacks targeting U.S. users.
Uses ~1,000 compromised or parked domains for hosting phishing pages.
Use Fake DocuSign, payroll, or QR code message to target users.
- VoidProxy
Microsoft 365, Google Workspace, and federated SSO accounts (Okta, Azure AD, OneLogin)
Core Technique: Adversary-in-the-Middle (AitM) phishing to intercept credentials, MFA codes, and session cookies in real time.
- Morphing Meerkat
Phishing-as-a-Service platform first identified in 2020.
The goal is to steal email login credentials by serving hyper-personalized phishing pages.
- Darcula
Web phishing kits (links via SMS/email). The tool is a Subscription-based (varies), Auto-generated for any brand and Generative AI for multilingual).
- BulletProofLink
Provided a large-scale phishing kit distribution.
The tool has over 100 templates mimicking major brands, massive subdomain generation.
- Caffeine
Specialty: Open registration (no vetting), multilingual phishing templates.
Features: Dynamic URL generation, campaign tracking, redirect page management.
- EvilProxy
It is a MFA bypass and credential harvesting.
Features: Reverse proxy phishing, supports multiple brands.
- Sneaky 2FA
A New entrant focused on Microsoft 365 phishing.
Features: MFA bypass, Telegram bot integration for stolen data.
- Tycoon2FA
An advanced phishing kits targeting Microsoft 365 and other services.
Key Feature: Bypasses multi-factor authentication (MFA) using reverse proxy techniques.
- Lighthouse PhaaS
Phishing-as-a-Service kit focused on SMS phishing (smishing).
Operators: Linked to a Chinese cybercrime group known as Smishing Triad.
Scale: Over 1 million victims across 120+ countries, with 12.7M–115M credit cards compromised.
The following recommendations should be taken to reduce the risk:
- Monitor for phishing indicators (suspicious domains, email headers).
- Implement DMARC, SPF, and DKIM to reduce email spoofing.
- Educate employees on phishing awareness.
