Full Report
In this blog post Barracuda threat analysts look at how advanced phishing techniques are likely to evolve in 2025.
Analysis Summary
# Tool/Technique: Phishing-as-a-Service (PhaaS) Kits
## Overview
PhaaS kits are services sold or rented by threat actors that provide infrastructure and tools necessary for deploying large-scale phishing campaigns, primarily focused on credential theft. These services are expected to become more sophisticated, including the capability to steal Multi-Factor Authentication (MFA) codes.
## Technical Details
- Type: Framework/Service (Evolving capability within Phishing)
- Platform: Varies (Likely targets email and web interfaces)
- Capabilities: Facilitates credential theft, expected to evolve to MFA code harvesting.
- First Seen: Not specified (Usage is significant in 2024, expected to dominate 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1566.003 - Spearphishing via Service
## Functionality
### Core Capabilities
- Deploying credential harvesting pages with minimal technical effort from the end-user.
- Account for a rapidly increasing percentage (expected >50%) of credential theft attacks in 2025 (up from 30% in 2024).
### Advanced Features
- Expected evolution to include functionality capable of stealing MFA codes during the credential theft process.
## Indicators of Compromise
- File Hashes: N/A (Service-based delivery)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Links distributed via PhaaS kits may use compromised or abused URL protection services.
- Behavioral Indicators: High volume, automated credential harvesting attempts.
## Associated Threat Actors
- Adversaries utilizing accessible, turnkey phishing infrastructures.
## Detection Methods
- Behavioral detection of credential harvesting forms and credential submission endpoints.
- Monitoring for known PhaaS infrastructure patterns.
## Mitigation Strategies
- Implementing robust MFA solutions, including phishing-resistant MFA methods if possible.
- Advanced email filtering to detect credential harvesting links or payloads.
- Increased security awareness training specific to evolved phishing tactics.
## Related Tools/Techniques
- General Phishing Kits
- Adversary utilizing AI for content generation
---
# Tool/Technique: ASCII-Based QR Codes
## Overview
A novel evasive technique where QR codes are constructed using ASCII or Unicode text blocks rather than standard image formats. This is employed in phishing campaigns to mislead detection systems that primarily scan image-based content.
## Technical Details
- Type: Evasive Technique (Used within Phishing/Vishing)
- Platform: Email attachment or body content (delivers a link on scan)
- Capabilities: Evading detection mechanisms that look for malicious content within traditional image files or embedded links in the email body.
- First Seen: Reported in October (of the reporting year).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via attachment)
- T1566.002 - Spearphishing Link (If embedded directly)
## Functionality
### Core Capabilities
- Embedding malicious URLs within character-based artwork (QR code).
- Bypassing ML-based analysis focused on image content or direct URL inspection.
### Advanced Features
- Continues to evolve alongside other evasive tactics.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The decoded URL upon scanning the QR code.
- Behavioral Indicators: Presence of large blocks of seemingly random text/Unicode characters in emails that resolve to a QR code structure.
## Associated Threat Actors
- Threat actors employing advanced evasive techniques in phishing campaigns.
## Detection Methods
- Deep content inspection capable of identifying and interpreting character-based QR codes.
- Heuristics for unusual character set usage in email bodies.
## Mitigation Strategies
- Employee education on recognizing suspicious QR codes embedded in digital communications.
- Email security tools capable of rendering character-based QR codes into URLs for scanning.
## Related Tools/Techniques
- Blob URIs
- Voicemail phishing
---
# Tool/Technique: Blob URIs
## Overview
The utilization of specially crafted Blob Uniform Resource Identifiers (URIs) as a method to hide or obfuscate malicious redirection links within phishing communications, designed to evade security scanning tools.
## Technical Details
- Type: Evasive Technique (Used within Phishing links)
- Platform: Web/Email
- Capabilities: Hiding the true destination of a link to bypass static URL analysis.
- First Seen: Reported in October (of the reporting year).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- Delivering links that use the `blob:` scheme to initiate content execution or redirection in a way that security scanners might not follow or correctly interpret.
### Advanced Features
- Part of a growing suite of evasive techniques intended to avoid machine learning analysis.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Presence of `blob:` URIs in email content or related documentation.
- Behavioral Indicators: User interaction leading to unexpected redirection after clicking a link.
## Associated Threat Actors
- Adversaries focused on sophisticated link obfuscation.
## Detection Methods
- Security solutions that dynamically resolve or analyze URI structures, including non-standard schemes like `blob:`.
## Mitigation Strategies
- Implementing strict content security policies that limit the execution context of custom URIs.
- User vigilance regarding links that appear structurally unusual.
## Related Tools/Techniques
- ASCII-based QR codes
- Abuse of URL protection services
---
# Tool/Technique: Malicious Attachments for Phishing Content
## Overview
An evolving technique where the actual phishing payload (e.g., HTML login forms or PDF documents containing exploitation code/links) is moved from the email body into an attachment. This is suspected to be a method to circumvent machine learning models trained to analyze the text content of the email body.
## Technical Details
- Type: Procedure/Technique
- Platform: Email (HTML or PDF attachments)
- Capabilities: Hiding phishing content outside the primary scanned scope of the email body (e.g., ML analysis of body copy).
- First Seen: Observed frequently in 2024, expected to increase.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
## Functionality
### Core Capabilities
- Delivery of phishing content exclusively via an attachment (HTML/PDF).
- Keeping the email body empty or containing minimal text to avoid detection signatures.
### Advanced Features
- Exploiting the blind spot of ML models focused solely on email body characteristics.
## Indicators of Compromise
- File Hashes: Hashes of malicious HTML or PDF attachments.
- File Names: Common attachment names used for delivery.
- Registry Keys: N/A
- Network Indicators: URLs found within the parsed content of the attachment.
- Behavioral Indicators: Execution or rendering of suspicious HTML/PDF attachments.
## Associated Threat Actors
- Attackers seeking to circumvent email gateway ML evaluations.
## Detection Methods
- Signature-based scanning of executable or scriptable attachments (HTML, PDF).
- Sandboxing attachment rendering to inspect final payload.
## Mitigation Strategies
- Restricting execution or automatic rendering of potentially dangerous file types (HTML/PDF) in email clients.
- Thorough inspection of all incoming attachments regardless of email body content.
## Related Tools/Techniques
- General spearphishing via attachment
- Evading ML analysis
---
# Tool/Technique: AI-Enhanced Personalized Extortion/Sextortion
## Overview
The use of Artificial Intelligence to highly personalize threats, specifically in extortion and sextortion campaigns. Attackers leverage analysis of a recipient's social media and communication history to craft psychologically manipulative, convincing, and emotionally targeted demands.
## Technical Details
- Type: Technique (Leveraging AI)
- Platform: Communication Channels (Email, messaging)
- Capabilities: Generating highly realistic, grammatically perfect, and emotionally resonant lures based on harvested personal data.
- First Seen: Extortion attacks observed extensively in 2024, use of hyper-personalization based on AI analysis expected to rise in 2025.
## MITRE ATT&CK Mapping
- TA0010 - Impact
- T1531 - Extortion
- TA0001 - Initial Access
- T1566 - Phishing (Used as delivery mechanism)
## Functionality
### Core Capabilities
- Utilizing AI to analyze personal data (social media, communications) for targeted content creation.
- Crafting precise grammar and human-like emotional appeals.
### Advanced Features
- Threatening victims using specific personal details (e.g., referencing Google Street View imagery of the victim’s home).
- Demanding higher ransom amounts due to increased perceived validity and pressure.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Highly specific, emotionally charged language targeting individual perceived vulnerabilities.
## Associated Threat Actors
- Adversaries looking to maximize yield from extortion campaigns using generative AI capabilities.
## Detection Methods
- Advanced natural language processing (NLP) analysis to detect manipulative emotional appeals or mentions of specific personal reconnaissance data.
- User reporting of unusually specific threats.
## Mitigation Strategies
- Strict personal data privacy hygiene (minimizing public exposure on social media).
- Security culture emphasizing skepticism toward unsolicited communications containing unnervingly specific personal details.
## Related Tools/Techniques
- Generative AI for content creation
- Credential theft resulting from successful extortion attempts
---
# Tool/Technique: Abuse of Trusted URL Protection Services
## Overview
An advanced phishing tactic where threat actors exploit legitimate, trusted URL protection or redirection services (often provided by security vendors themselves) to mask the final destination of malicious phishing links. This abuses trust inherent in the redirection chain.
## Technical Details
- Type: Technique/Exploitation of Trust
- Platform: Web/Email Link Redirection
- Capabilities: Bypassing URL filtering mechanisms by chaining through a known, trusted domain resolver before reaching the final malicious site.
- First Seen: Reported in July (of the reporting year) and confirmed still active.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- Masking the malicious final URL within a trusted service wrapper.
- Relying on security tools trusting the reputation of established URL protection infrastructure.
### Advanced Features
- Targets the trust relationships between security validation layers.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Chains of redirection starting from the initial email link through a legitimate URL protection service to the final malicious destination.
- Behavioral Indicators: Browser redirects through known security vendor domains before landing on a suspicious page.
## Associated Threat Actors
- Sophisticated phishing operators capable of mapping and exploiting security vendor infrastructure.
## Detection Methods
- Dynamic analysis to follow redirection chains completely, regardless of the intermediate domain’s reputation.
- Analyzing the final destination of any link, not just the initial string presented.
## Mitigation Strategies
- Security posture review to ensure link reputation systems check the entire redirection path, not just the first hop.
- Deploying browser extensions or gateway protections that scrutinize destination behavior post-initial link click.
## Related Tools/Techniques
- URL Obfuscation Techniques
- Evasion of modern security gateway analysis