Inside Phishing-as-a-Service: How Cybercrime Became a Subscription Business​

Phishing has evolved from amateur scams into industrialized cybercrime. Today, it accounts for 74% of all advanced email attacks, making it the most pervasive threat facing organizations.

But what’s fueling this rise?

Enter Phishing-as-a-Service (PhaaS): subscription-based kits that give attackers everything they need—email templates, fake login pages, infrastructure, and even customer support. With AI-generated phishing emails making scams more convincing than ever, phishing is no longer reserved for highly skilled hackers.

Not to mention, the cost is staggering. Business Email Compromise (BEC), a common outcome of PhaaS attacks, led to $2.9 billion in losses in 2023.

Security leaders need to understand the ecosystem behind PhaaS: how phishing kits are packaged and sold, who’s using them, and which defenses actually work against them.

Phishing-as-a-Service (PhaaS) is a subscription-based cybercrime model that gives cybercriminals everything they need to run sophisticated phishing campaigns. This model has turned phishing from a specialized craft into a ready-to-use service anyone can buy.

PhaaS platforms mirror legitimate Software-as-a-Service (SaaS) businesses with:

• Tiered pricing models (Basic, Professional, and Enterprise plans)

• User-friendly dashboards and interfaces

• Ongoing updates and feature enhancements

• Customer support to troubleshoot and optimize attacks

A typical PhaaS package includes:

• Pre-built phishing templates impersonating brands like Microsoft, Google, and major banks

• Hosting infrastructure for fake websites and login pages

• Bulk email distribution systems

• Analytics dashboards to track campaign success

• Technical support for attack customization

These services are alarmingly accessible and affordable, making phishing a low-cost, high-reward attack vector.

The scale is shocking: PhaaS platform W3LL made over $500,000 annually with about 500 active users. This industrialization of phishing directly contributed to the FBI recording nearly 300,000 phishing incidents in 2023, which is five times more than the second most common cybercrime.

As PhaaS evolves, it incorporates increasingly advanced features like multi-factor authentication (MFA) bypass tools and AI-generated content, making these attacks even harder to detect.

PhaaS is reshaping cybercrime, turning phishing from a niche skill into a scalable cybercrime model business.

The result? More frequent attacks, broader reach, and increasingly convincing tactics.

Phishing used to require deep technical knowledge: building fake websites, configuring email servers, and evading detection. That complexity kept the number of attackers relatively low.

PhaaS has removed those barriers. Now, attackers can purchase end-to-end kits that include:

• Email templates impersonating brands like Microsoft and Google

• Fake website generators with drag-and-drop functionality

• Built-in email distribution systems

• Real-time campaign analytics

• Step-by-step setup guides and support

Even users with no coding experience can launch credible phishing campaigns with a subscription and a few clicks.

As phishing becomes easier to execute, attack frequency continues to rise:

• Phishing attacks increased by 30.5% in the APAC region between 2023 and 2024, probably driven in part by PhaaS availability.

• Phishing and business email compromise cause 44% of cybercrime losses.

• Phishing has the second-highest financial impact across attack vectors, costing organizations an average of $4.88 million per breach.

With automation and infrastructure in place, bad actors can launch campaigns faster, cheaper, and at greater scale.

Today’s PhaaS-driven phishing campaigns are far more advanced. They make use of tools and tactics like:

• Using MFA bypass tools to intercept one-time codes and session cookies.

• Creating AI-generated content that closely mimics internal emails and official notices.

• Rotating dynamic URLs constantly to evade detection

• Monitoring campaign dashboards real-time to enable rapid adjustment of tactics

Attackers are also getting better at bypassing MFA protections, making it harder for traditional defenses to keep up.

PhaaS platforms are fueling a new wave of email-based attacks by making sophisticated phishing kits, infrastructure, and campaign automation available to anyone—for a subscription fee.

Here's what security teams need to know about the tools and actors behind these operations.

Several leading platforms have emerged as key players in the phishing economy, each offering unique capabilities:

• EvilProxy: They specialize in MFA bypass using reverse proxy techniques and often target major platforms like Microsoft, Google, GitHub, and Apple.

• ONNX (formerly Caffeine): They offer tiered pricing, full customer support, and phishing kits customized by industry, including finance and healthcare, that appeal to less technical users.

• W3LL: They are an invite-only marketplace that generated $500K annually by 2023 that are known for their high-quality phishing templates and a trusted criminal user base.

• Greatness: They focus on Microsoft 365 targets, delivering polished phishing pages for BEC-style attacks.

Together, these platforms illustrate how phishing has scaled into a service model with sophisticated offerings that rival legitimate SaaS companies in usability and support.

PhaaS providers attract a wide spectrum of users, from sophisticated criminal organizations to low-skill attackers and insiders.

Here are the most common actor profiles:

• Cybercriminal syndicates use PhaaS to run large-scale, profit-driven campaigns targeting high-value industries like finance and healthcare.

• Nation-state groups incorporate PhaaS into espionage operations, leveraging its anonymity and scalability to infiltrate government and critical infrastructure.

• Novice attackers rely on easy-to-use kits with built-in templates and automation, requiring little technical skill to launch effective campaigns.

• Ransomware affiliates use phishing to gain initial access before deploying ransomware, often remaining undetected until it’s too late.

• Insiders exploit existing access and knowledge of internal systems, sometimes combining forces with external actors for greater impact.

This diversity makes PhaaS especially dangerous—threat actors of all skill levels now have the tools to launch targeted, high-impact attacks.

PhaaS has industrialized phishing, making advanced attacks faster, cheaper, and harder to detect. Attackers can now routinely rely on commercialized platforms that mimic legitimate SaaS tools to scale operations.

Here are some common tactics PhaaS providers use that make them so effective.

Attackers use PhaaS platforms to quickly spin up credential phishing campaigns that mimic trusted brands. These campaigns typically include:

• Prebuilt email templates impersonating services like Microsoft or Google

• Fake login pages hosted on bulletproof infrastructure

• Real-time dashboards to monitor victim interaction

Platforms like Darcula even auto-generate phishing kits with dynamic branding, making it easy to launch convincing campaigns in minutes.

To defeat one of the most common enterprise defenses, attackers rely on reverse proxies and real-time credential interception.

PhaaS platforms like EvilProxy specialize in:

• Stealing authentication tokens mid-session

• Hijacking active sessions through browser-in-the-middle attacks

• Using Telegram bots to harvest MFA codes before they expire

These techniques allow full account access even with MFA enabled.

Effective phishing relies on familiarity and trust. Attackers use PhaaS kits tailored to specific industries, geographies, or victims. Common tactics include:

• Regional branding and language localization

• Templates built for finance, healthcare, and SaaS environments

• Data from previous breaches to personalize the message

This customization significantly boosts click-through and submission rates, especially when attackers exploit B2B tools.

To stay ahead of spam filters and takedowns, attackers constantly evolve their evasion methods.

PhaaS providers make it easy for attackers to use the following evasion tactics:

• Dynamic URL generation that rotates with each click

• IP filtering to block researchers and threat intel teams

• Proxy chains that obscure source IP addresses

• Hosting on resilient, geo-distributed infrastructure

This backend support lets campaigns run longer without disruption.

Beyond immediate credential theft, PhaaS providers enable attackers to plant malware, move laterally, or launch follow-on attacks like ransomware or business email compromise.

Common tactics include:

• Updating mailbox rules to hide future phishing emails.

• Establishing OAuth app integrations for persistent access.

• Using compromised accounts to phish additional internal targets.

These methods blur the line between phishing and full-scale compromise, giving attackers footholds across environments.

PhaaS operators go beyond just selling tools, they empower buyers with the knowledge to succeed. This includes:

• In-depth setup guides and walkthroughs

• Active forums for sharing tactics

• Regularly updated kits that stay ahead of detection

These professional support systems lower the technical barrier to entry, helping even inexperienced attackers run highly effective campaigns.

The phishing threat landscape is expanding in both scale and complexity, driven by the accessibility of PhaaS platforms, the diversity of attackers using them, and the widening surface area of modern business systems.

Modern phishing operations move at breakneck speed. Attackers can purchase ready-made kits, customize templates, and launch campaigns—all within hours. As Abnormal Security reports, Business Email Compromise (BEC) losses hit $2.9 billion in 2023 alone, and many of these attacks unfolded in just a few days.

A typical PhaaS attack timeline looks like this:

1. Prep and Customization: Attackers research targets and tailor kits.

2. Initial Deployment: Phishing emails mimic vendors or executives to gain trust.

3. Credential Capture: Many kits now intercept MFA tokens in real time.

4. Account Takeover and Lateral <ovement: Attackers escalate privileges and exfiltrate data.

5. Monetization: Data is sold, ransoms are demanded, or financial fraud is initiated.

This compressed timeline leaves security teams little time to detect and respond before damage is done.

PhaaS isn’t just for low-level criminals. Nation-state actors and organized cybercrime groups are using it to scale operations and evade detection. Platforms like W3LL exemplify how polished and professionalized these ecosystems have become.

At the same time, insiders and novice attackers are now viable threats. With little technical knowledge, bad actors can deploy highly targeted campaigns thanks to built-in support, AI-generated content, and real-time analytics.

Email is no longer the only delivery method. Today’s phishing attacks span different platforms:

• Collaboration platforms like Microsoft Teams and Slack

• Cloud applications where users expect trusted access

• File-sharing platforms like Dropbox and OneDrive

• Mobile messaging apps where phishing links often go unchecked

This multichannel approach helps attackers blend in with legitimate communication. AsAbnormal research shows, file-sharing phishing alone surged by 350%, showing just how quickly attackers adapt to new environments.

Stopping attackers using PhaaS tools and tactics requires more than just stronger spam filters.

As attackers continue using professionalized toolkits and automation to scale their campaigns, your defenses must be equally sophisticated—blending AI-powered detection with behavioral insights, access controls, and real-time response capabilities.

PhaaS campaigns are engineered to slip past traditional defenses. Legacy tools often miss these threats because they rely on static rules or known signatures. Modern email security strategies should include:

• AI-based filters that detect unusual language, tone, or communication behavior

• Email authentication protocols like DMARC, SPF, and DKIM to block spoofing attempts

• Behavioral analysis that flags anomalies in sender-recipient patterns, timing, or attachment use

Abnormal’s behavioral AI goes beyond content scanning by analyzing signals across identity, behavior, and context—giving you visibility into even the most subtle threats.

Attackers don’t stop after they steal credentials—they exploit them to move laterally or escalate access. That’s why authentication needs to be dynamic and adaptive:

• Require multi-factor authentication (MFA) across all accounts

• Use risk-based, adaptive MFA that changes based on user behavior

• Apply zero-trust architecture to validate every access request

Abnormal’s account takeover protection monitors login patterns and account activity to catch unusual behavior before attackers can act.

Even with advanced detection tools in place, humans remain a critical line of defense—especially against social engineering. Effective programs include:

• Simulated phishing exercises that mirror PhaaS attack tactics

• Behavioral coaching focused on real-world deception methods

• Clear, frictionless reporting workflows for suspicious emails

Security awareness works best when training is paired with automated detection. Neither is enough on its own.

PhaaS attackers increasingly target cloud platforms to maintain long-term access. Defense strategies should include:

• Continuous monitoring for suspicious permission changes or app configurations

• Seamless integration with platforms like Microsoft 365 and Google Workspace

• Vendor-specific monitoring to reduce risk across your supply chain

Abnormal’s Supplier Risk Management helps surface unusual behavior from third-party contacts that attackers often exploit for lateral movement.

When phishing succeeds, speed matters. Your response should be automated, coordinated, and deeply integrated across systems:

• Use AI-based detection to surface compromises in real-time

• Automatically isolate compromised accounts or remove malicious emails

• Deploy a prebuilt incident response plan tailored for email-based threats

Abnormal Security offers a comprehensive defense against phishing, recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms. Our behavioral AI stops the threats others miss—including advanced attacks launched through phishing-as-a-service platforms.

PhaaS has industrialized cybercrime. With attackers leveraging advanced, off-the-shelf tools to launch scalable, high-impact campaigns, traditional defenses aren’t enough.

Here’s what security leaders should prioritize:

1. Evaluate current email defenses to ensure they can detect tactics like MFA bypass and stealthy impersonation used by platforms such as EvilProxy.

2. Adopt a layered security approach that combines AI-powered detection, behavioral analysis, and human awareness to close critical gaps.

3. Leverage behavioral AI to spot the subtle anomalies signature-based tools often miss—especially across platforms like Microsoft 365 and Google Workspace.

4. Monitor emerging trends in file-sharing phishing, multichannel attacks, and new PhaaS tools to stay ahead of the threat curve.

PhaaS may have lowered the bar for attackers, but with the right technology and strategy, organizations can raise the bar on defense.

Book a demo to see how Abnormal uses behavioral AI to detect and block sophisticated phishing threats before they ever reach your employees.