Full Report
Phishing-as-a-Service, or PhaaS, is a cybercrime model where threat actors offer phishing tools, kits and services to other attackers, often via subscription or one-time payment.
Analysis Summary
# Tool/Technique: Phishing-as-a-Service (PhaaS)
## Overview
Phishing-as-a-Service (PhaaS) is a cybercrime model where threat actors sell or offer access to ready-made phishing tools, kits, and infrastructure to other attackers, often via subscription. This model significantly lowers the barrier to entry for launching sophisticated phishing campaigns by providing pre-built templates, hosting, automation, and sometimes even customer support, enabling even non-technical users to execute scams.
## Technical Details
- Type: Model/Service (Supporting Phishing Kits)
- Platform: Inherited from underlying phishing kits, targeting common user platforms (Web/Email).
- Capabilities: Providing ready-made fake emails/websites, infrastructure hosting, customization, credential theft capabilities (including MFA token harvesting).
- First Seen: Context implies the model is rapidly emerging and evolving, with specific associated kits appearing around late 2024/early 2025 (given the reference to 2025 observations).
## MITRE ATT&CK Mapping
PhaaS fundamentally supports the initial stages of an attack by facilitating social engineering and initial access.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** (If kits support malicious attachments)
- **T1566.002 - Spearphishing Link** (Most common use case)
## Functionality
### Core Capabilities
- **Infrastructure Provisioning:** Offering hosting for fake login pages (e.g., impersonating Microsoft/Google).
- **Template Delivery:** Supplying convincing, ready-made phishing emails and website templates.
- **Credential Harvesting:** Collecting user-entered private information, including techniques to steal Multi-Factor Authentication (MFA) tokens.
- **Cost-Effectiveness:** Operated on cheap or subscription-based models, saving significant time and effort for the end user.
### Advanced Features
- **Evasion Techniques:** Kits often include functionality to obfuscate (scramble) and encrypt source code to avoid detection by security software.
- **Anti-Analysis:** Tools are capable of detecting security analysis environments (sandboxes/bots) and redirecting them to legitimate websites to maintain stealth.
- **Evolution/Adaptation:** Providers continuously update kits to bypass emerging security controls, ensuring high delivery rates.
- **Legitimate Site Usage:** Utilizing real, sometimes compromised, legitimate websites to host malicious links or payloads, increasing trust.
## Indicators of Compromise
Indicators are highly fragmented as they depend on the specific kit being used; however, the context highlights several related kits:
- File Hashes: Not specified for the service model itself.
- File Names: Not specified for the service model itself.
- Registry Keys: Not specified.
- Network Indicators: C2 infrastructure is provided and configured by the PhaaS provider/kit (e.g., redirecting stolen data to the attacker's endpoint). Specific C2/domains are highly transient and specific to each campaign.
- Behavioral Indicators: Execution of highly polished, near-perfect website clones designed for credential harvesting.
## Associated Threat Actors
- Attackers lacking technical skill who seek to perform credential theft.
- Sophisticated attackers looking to outsource infrastructure setup and maintenance.
- Threat actors leveraging platforms like Darknet markets or Telegram to acquire the service.
## Detection Methods
Detection focuses on the underlying technical implementation of the phishing kit rather than the abstract service model.
- Signature-based detection: Signatures for known C2 infrastructure or file hashes associated with specific kits (e.g., CoGUI, Sniper Dz, Tycoon 2FA).
- Behavioral detection: Monitoring for anomalies in login sequences, unexpected redirection after submission, or suspicious file/code obfuscation techniques used within web pages.
- YARA rules: Applicable against downloadable malware components if the kit bundles malware (e.g., Darcula kit mentions combining phishing with malware delivery).
## Mitigation Strategies
- **Security Awareness Training:** Educating users on identifying sophisticated phishing attempts, including recognizing brand impersonation and suspicious login flows (especially regarding MFA prompts).
- **Multi-Factor Authentication (MFA):** Implementing robust MFA is crucial, though attackers using kits like **SessionShark** focus on session hijacking. Adoption of phishing-resistant MFA (like FIDO2/WebAuthn) reduces the impact of token theft.
- **Technical Controls:** Implementing strong email gateway security, DNS filtering, and web filtering to block access to known malicious hosting environments.
- **Website Validation:** Encouraging users to manually type known trusted URLs rather than clicking links, and verifying SSL certificates.
## Related Tools/Techniques
The article highlights several contemporary Phishing Kits utilized via PhaaS models:
- **Tycoon 2FA:** Most widely used kit, accounting for 76% of observed attacks in early 2025.
- **EvilProxy:** Accounts for approximately 8% of observed attacks.
- **Mamba 2FA** and **Sneaky 2FA**: Together account for 6%.
- **CoGUI:** Kit tailored specifically for Japanese organizations.
- **Sniper Dz:** Highly customizable kit mimicking popular service login pages.
- **Morphing Meerkat:** Known for fast adaptation to bypass filters.
- **Darcula:** Stealthy kit combining phishing with malware delivery.
- **SessionShark:** Specializes in stealing active login sessions.
- **LogoKit, FlowerStorm, Gabagool:** Other miscellaneous kits observed.