Inside Phishing-as-a-Service: How Cybercrime Became a Subscription Business
Phishing has evolved from amateur scams into industrialized cybercrime. Today, it accounts for 74% of all advanced email attacks, making it the most pervasive threat facing organizations.
But what’s fueling this rise?
Enter Phishing-as-a-Service (PhaaS): subscription-based kits that give attackers everything they need—email templates, fake login pages, infrastructure, and even customer support. With AI-generated phishing emails making scams more convincing than ever, phishing is no longer reserved for highly skilled hackers.
Not to mention, the cost is staggering. Business Email Compromise (BEC), a common outcome of PhaaS attacks, led to $2.9 billion in losses in 2023.
Security leaders need to understand the ecosystem behind PhaaS: how phishing kits are packaged and sold, who’s using them, and which defenses actually work against them.
What Is Phishing-as-a-Service?
Phishing-as-a-Service (PhaaS) is a subscription-based cybercrime model that gives cybercriminals everything they need to run sophisticated phishing campaigns. This model has turned phishing from a specialized craft into a ready-to-use service anyone can buy.
PhaaS platforms mirror legitimate Software-as-a-Service (SaaS) businesses with:
Tiered pricing models (Basic, Professional, and Enterprise plans)
User-friendly dashboards and interfaces
Ongoing updates and feature enhancements
Customer support to troubleshoot and optimize attacks
A typical PhaaS package includes:
Pre-built phishing templates impersonating brands like Microsoft, Google, and major banks
Hosting infrastructure for fake websites and login pages
Bulk email distribution systems
Analytics dashboards to track campaign success
Technical support for attack customization
These services are alarmingly accessible and affordable, making phishing a low-cost, high-reward attack vector.
The scale is shocking: PhaaS platform W3LL made over $500,000 annually with about 500 active users. This industrialization of phishing directly contributed to the FBI recording nearly 300,000 phishing incidents in 2023, which is five times more than the second most common cybercrime.
As PhaaS evolves, it incorporates increasingly advanced features like multi-factor authentication (MFA) bypass tools and AI-generated content, making these attacks even harder to detect.
How Phishing as a Service Is Changing the Threat Landscape
PhaaS is reshaping cybercrime, turning phishing from a niche skill into a scalable cybercrime model business.
The result? More frequent attacks, broader reach, and increasingly convincing tactics.
Lowering the Barrier to Entry
Phishing used to require deep technical knowledge: building fake websites, configuring email servers, and evading detection. That complexity kept the number of attackers relatively low.
PhaaS has removed those barriers. Now, attackers can purchase end-to-end kits that include:
Email templates impersonating brands like Microsoft and Google
Fake website generators with drag-and-drop functionality
Built-in email distribution systems
Real-time campaign analytics
Step-by-step setup guides and support
Even users with no coding experience can launch credible phishing campaigns with a subscription and a few clicks.
Increasing the Volume of Attacks
As phishing becomes easier to execute, attack frequency continues to rise:
Phishing attacks increased by 30.5% in the APAC region between 2023 and 2024, probably driven in part by PhaaS availability.
Phishing and business email compromise cause 44% of cybercrime losses.
Phishing has the second-highest financial impact across attack vectors, costing organizations an average of $4.88 million per breach.
With automation and infrastructure in place, bad actors can launch campaigns faster, cheaper, and at greater scale.
Increasing the Sophistication of Attacks
Today’s PhaaS-driven phishing campaigns are far more advanced. They make use of tools and tactics like:
Using MFA bypass tools to intercept one-time codes and session cookies.
Creating AI-generated content that closely mimics internal emails and official notices.
Rotating dynamic URLs constantly to evade detection
Monitoring campaign dashboards real-time to enable rapid adjustment of tactics
Attackers are also getting better at bypassing MFA protections, making it harder for traditional defenses to keep up.
Key Platforms and Threat Actor Profiles in Phishing-as-a-Service
PhaaS platforms are fueling a new wave of email-based attacks by making sophisticated phishing kits, infrastructure, and campaign automation available to anyone—for a subscription fee.
Here's what security teams need to know about the tools and actors behind these operations.
Notable PhaaS Platforms
Several leading platforms have emerged as key players in the phishing economy, each offering unique capabilities:
EvilProxy: They specialize in MFA bypass using reverse proxy techniques and often target major platforms like Microsoft, Google, GitHub, and Apple.
ONNX (formerly Caffeine): They offer tiered pricing, full customer support, and phishing kits customized by industry, including finance and healthcare, that appeal to less technical users.
W3LL: They are an invite-only marketplace that generated $500K annually by 2023 that are known for their high-quality phishing templates and a trusted criminal user base.
Greatness: They focus on Microsoft 365 targets, delivering polished phishing pages for BEC-style attacks.
Together, these platforms illustrate how phishing has scaled into a service model with sophisticated offerings that rival legitimate SaaS companies in usability and support.
Common Threat Actor Profiles
PhaaS providers attract a wide spectrum of users, from sophisticated criminal organizations to low-skill attackers and insiders.
Here are the most common actor profiles:
Cybercriminal syndicates use PhaaS to run large-scale, profit-driven campaigns targeting high-value industries like finance and healthcare.
Nation-state groups incorporate PhaaS into espionage operations, leveraging its anonymity and scalability to infiltrate government and critical infrastructure.
Novice attackers rely on easy-to-use kits with built-in templates and automation, requiring little technical skill to launch effective campaigns.
Ransomware affiliates use phishing to gain initial access before deploying ransomware, often remaining undetected until it’s too late.
Insiders exploit existing access and knowledge of internal systems, sometimes combining forces with external actors for greater impact.
This diversity makes PhaaS especially dangerous—threat actors of all skill levels now have the tools to launch targeted, high-impact attacks.
Tactics Used in Phishing-as-a-Service Attacks
PhaaS has industrialized phishing, making advanced attacks faster, cheaper, and harder to detect. Attackers can now routinely rely on commercialized platforms that mimic legitimate SaaS tools to scale operations.
Here are some common tactics PhaaS providers use that make them so effective.
Launching Large-Scale Credential Harvesting Campaigns
Attackers use PhaaS platforms to quickly spin up credential phishing campaigns that mimic trusted brands. These campaigns typically include:
Prebuilt email templates impersonating services like Microsoft or Google
Fake login pages hosted on bulletproof infrastructure
Real-time dashboards to monitor victim interaction
Platforms like Darcula even auto-generate phishing kits with dynamic branding, making it easy to launch convincing campaigns in minutes.
Bypassing Multi-Factor Authentication (MFA)
To defeat one of the most common enterprise defenses, attackers rely on reverse proxies and real-time credential interception.
PhaaS platforms like EvilProxy specialize in:
Stealing authentication tokens mid-session
Hijacking active sessions through browser-in-the-middle attacks
Using Telegram bots to harvest MFA codes before they expire
These techniques allow full account access even with MFA enabled.
Customizing Lures to Match the Target
Effective phishing relies on familiarity and trust. Attackers use PhaaS kits tailored to specific industries, geographies, or victims. Common tactics include:
Regional branding and language localization
Templates built for finance, healthcare, and SaaS environments
Data from previous breaches to personalize the message
This customization significantly boosts click-through and submission rates, especially when attackers exploit B2B tools.
Evading Detection Across Channels
To stay ahead of spam filters and takedowns, attackers constantly evolve their evasion methods.
PhaaS providers make it easy for attackers to use the following evasion tactics:
Dynamic URL generation that rotates with each click
IP filtering to block researchers and threat intel teams
Proxy chains that obscure source IP addresses
Hosting on resilient, geo-distributed infrastructure
This backend support lets campaigns run longer without disruption.
Gaining Persistent Access for Secondary Attacks
Beyond immediate credential theft, PhaaS providers enable attackers to plant malware, move laterally, or launch follow-on attacks like ransomware or business email compromise.
Common tactics include:
Updating mailbox rules to hide future phishing emails.
Establishing OAuth app integrations for persistent access.
Using compromised accounts to phish additional internal targets.
These methods blur the line between phishing and full-scale compromise, giving attackers footholds across environments.
Enabling Low-Skill Threat Actors Through Support
PhaaS operators go beyond just selling tools, they empower buyers with the knowledge to succeed. This includes:
In-depth setup guides and walkthroughs
Active forums for sharing tactics
Regularly updated kits that stay ahead of detection
These professional support systems lower the technical barrier to entry, helping even inexperienced attackers run highly effective campaigns.
The Growing Threat Landscape
The phishing threat landscape is expanding in both scale and complexity, driven by the accessibility of PhaaS platforms, the diversity of attackers using them, and the widening surface area of modern business systems.
PhaaS Campaigns Move Faster Than Ever
Modern phishing operations move at breakneck speed. Attackers can purchase ready-made kits, customize templates, and launch campaigns—all within hours. As Abnormal Security reports, Business Email Compromise (BEC) losses hit $2.9 billion in 2023 alone, and many of these attacks unfolded in just a few days.
A typical PhaaS attack timeline looks like this:
Prep and Customization: Attackers research targets and tailor kits.
Initial Deployment: Phishing emails mimic vendors or executives to gain trust.
Credential Capture: Many kits now intercept MFA tokens in real time.
Account Takeover and Lateral <ovement: Attackers escalate privileges and exfiltrate data.
Monetization: Data is sold, ransoms are demanded, or financial fraud is initiated.
This compressed timeline leaves security teams little time to detect and respond before damage is done.
Threat Actors Are Becoming More Sophisticated
PhaaS isn’t just for low-level criminals. Nation-state actors and organized cybercrime groups are using it to scale operations and evade detection. Platforms like W3LL exemplify how polished and professionalized these ecosystems have become.
At the same time, insiders and novice attackers are now viable threats. With little technical knowledge, bad actors can deploy highly targeted campaigns thanks to built-in support, AI-generated content, and real-time analytics.
Multi-Vector Attacks Are Becoming the Norm
Email is no longer the only delivery method. Today’s phishing attacks span different platforms:
Collaboration platforms like Microsoft Teams and Slack
Cloud applications where users expect trusted access
File-sharing platforms like Dropbox and OneDrive
Mobile messaging apps where phishing links often go unchecked
This multichannel approach helps attackers blend in with legitimate communication. AsAbnormal research shows, file-sharing phishing alone surged by 350%, showing just how quickly attackers adapt to new environments.
How to Defend Against Phishing-as-a-Service Attacks
Stopping attackers using PhaaS tools and tactics requires more than just stronger spam filters.
As attackers continue using professionalized toolkits and automation to scale their campaigns, your defenses must be equally sophisticated—blending AI-powered detection with behavioral insights, access controls, and real-time response capabilities.
Modernize Your Email Security Stack
PhaaS campaigns are engineered to slip past traditional defenses. Legacy tools often miss these threats because they rely on static rules or known signatures. Modern email security strategies should include:
AI-based filters that detect unusual language, tone, or communication behavior
Email authentication protocols like DMARC, SPF, and DKIM to block spoofing attempts
Behavioral analysis that flags anomalies in sender-recipient patterns, timing, or attachment use
Abnormal’s behavioral AI goes beyond content scanning by analyzing signals across identity, behavior, and context—giving you visibility into even the most subtle threats.
Enforce Strong Identity and Access Controls
Attackers don’t stop after they steal credentials—they exploit them to move laterally or escalate access. That’s why authentication needs to be dynamic and adaptive:
Require multi-factor authentication (MFA) across all accounts
Use risk-based, adaptive MFA that changes based on user behavior
Apply zero-trust architecture to validate every access request
Abnormal’s account takeover protection monitors login patterns and account activity to catch unusual behavior before attackers can act.
Train Employees to Spot Sophisticated Attacks
Even with advanced detection tools in place, humans remain a critical line of defense—especially against social engineering. Effective programs include:
Simulated phishing exercises that mirror PhaaS attack tactics
Behavioral coaching focused on real-world deception methods
Clear, frictionless reporting workflows for suspicious emails
Security awareness works best when training is paired with automated detection. Neither is enough on its own.
Monitor Cloud Application Activity for Persistent Threats
PhaaS attackers increasingly target cloud platforms to maintain long-term access. Defense strategies should include:
Continuous monitoring for suspicious permission changes or app configurations
Seamless integration with platforms like Microsoft 365 and Google Workspace
Vendor-specific monitoring to reduce risk across your supply chain
Abnormal’s Supplier Risk Management helps surface unusual behavior from third-party contacts that attackers often exploit for lateral movement.
Build and Automate Your Incident Response Playbook
When phishing succeeds, speed matters. Your response should be automated, coordinated, and deeply integrated across systems:
Use AI-based detection to surface compromises in real-time
Automatically isolate compromised accounts or remove malicious emails
Deploy a prebuilt incident response plan tailored for email-based threats
Abnormal Security offers a comprehensive defense against phishing, recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms. Our behavioral AI stops the threats others miss—including advanced attacks launched through phishing-as-a-service platforms.
What Security Leaders Should Do Next
PhaaS has industrialized cybercrime. With attackers leveraging advanced, off-the-shelf tools to launch scalable, high-impact campaigns, traditional defenses aren’t enough.
Here’s what security leaders should prioritize:
Evaluate current email defenses to ensure they can detect tactics like MFA bypass and stealthy impersonation used by platforms such as EvilProxy.
Adopt a layered security approach that combines AI-powered detection, behavioral analysis, and human awareness to close critical gaps.
Leverage behavioral AI to spot the subtle anomalies signature-based tools often miss—especially across platforms like Microsoft 365 and Google Workspace.
Monitor emerging trends in file-sharing phishing, multichannel attacks, and new PhaaS tools to stay ahead of the threat curve.
PhaaS may have lowered the bar for attackers, but with the right technology and strategy, organizations can raise the bar on defense.
Book a demo to see how Abnormal uses behavioral AI to detect and block sophisticated phishing threats before they ever reach your employees.