Phishing as a service platforms used by threat actors
A cybercrime business model where attackers pay for ready-made phishing kits, hosting, and infrastructure.
The goal is to simplify phishing attacks for less-skilled criminals by providing templates, automation tools, and even customer support.
Phishing-as-a-Service (PhaaS) platforms are essentially subscription-based services that allow cybercriminals to launch phishing campaigns without needing deep technical expertise.
Most known Phishing-as-a-service platforms used by threat actors PhaaS:
- Quantum Route Redirect
Active in 90 countries, with 76% of attacks targeting U.S. users.
Uses ~1,000 compromised or parked domains for hosting phishing pages.
Use Fake DocuSign, payroll, or QR code message to target users.
- VoidProxy
Microsoft 365, Google Workspace, and federated SSO accounts (Okta, Azure AD, OneLogin)
Core Technique: Adversary-in-the-Middle (AitM) phishing to intercept credentials, MFA codes, and session cookies in real time.
- Morphing Meerkat
Phishing-as-a-Service platform first identified in 2020.
The goal is to steal email login credentials by serving hyper-personalized phishing pages.
- Darcula
Web phishing kits (links via SMS/email). The tool is a Subscription-based (varies), Auto-generated for any brand and Generative AI for multilingual).
- BulletProofLink
Provided a large-scale phishing kit distribution.
The tool has over 100 templates mimicking major brands, massive subdomain generation.
- Caffeine
Specialty: Open registration (no vetting), multilingual phishing templates.
Features: Dynamic URL generation, campaign tracking, redirect page management.
- EvilProxy
It is a MFA bypass and credential harvesting.
Features: Reverse proxy phishing, supports multiple brands.
- Sneaky 2FA
A New entrant focused on Microsoft 365 phishing.
Features: MFA bypass, Telegram bot integration for stolen data.
- Tycoon2FA
An advanced phishing kits targeting Microsoft 365 and other services.
Key Feature: Bypasses multi-factor authentication (MFA) using reverse proxy techniques.
- Lighthouse PhaaS
Phishing-as-a-Service kit focused on SMS phishing (smishing).
Operators: Linked to a Chinese cybercrime group known as Smishing Triad.
Scale: Over 1 million victims across 120+ countries, with 12.7M–115M credit cards compromised.
The following recommendations should be taken to reduce the risk:
– Monitor for phishing indicators (suspicious domains, email headers).
– Implement DMARC, SPF, and DKIM to reduce email spoofing.
– Educate employees on phishing awareness.
Bangaly Koita is a SOC Analyst and Cyber Security researcher . As a passionate in cyber security, he spends most of the time writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.
