‘Massive spike’ in phishing-as-a-service attacks in 2025, research

Barracuda Networks researchers say services by the main actors are evolving to become easier to use and harder to detect

Phishing is by far the most common entry point for hackers, with 84% of businesses reporting having been targeted, according to a recent UK government report.

That’s because crafting an email or SMS to persuade someone to click on a link that takes them to a bogus login site or to a malware download is much simpler and more cost-effective than any other method. And it’s an attack that’s been getting simpler still thanks to Phishing-as-a-Service (PhaaS).

PhaaS operatives provide online kits that can clone numerous legitimate websites’ login pages, together with tools to evade detection by security software, servers to process the purloined credentials and proxy servers to handle Adversary-in-the-middle (AitM) attacks, all for a small starting fee.

It’s an area that is increasing rapidly according to research by security vendor Barracuda Networks, which says it has detected a “massive spike” in PhaaS attacks in the first two months of this year.

The most prominent actor in January and February was Tycoon 2FA/Tycoon Group, a platform that’s been around since at least August 2023, according to security vendor Sekoia. which said it “mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication”.

Sekoia noted that last year that Tycoon 2FA had evolved to incorporate more advanced anti-detection features. This evolution has continued, according to Barracuda.

The group behind Tycoon 2FA has continued to enhance its evasive mechanisms, becoming even harder to detect.

The upgraded script is encrypted with a Caesar cypher, instead of being in plain text, according to a blog by Deerendra Prasad, an associate threat analyst in the Threat Analyst Team at Barracuda Networks.

In addition, the upgrade script identifies a victim’s browser type, likely for evasion or attack customisation, and includes Telegram links to send exfiltrated data to the attackers.

It also has features that enable the attacker to further customise the bogus website, Prasad wrote.

“This script also contains intercommunication links such as Ajax requests, which enable parts of a web page to be updated independently of the rest of the page, and the script features AES encryption to disguise credentials before exfiltrating them to a remote server, making detection more difficult.”

Tycoon 2FA accounted for 89% of the PhaaS detected by Barracuda Networks in January and February, but other players were also in evidence.

Accounting for 8% of observed, EvilProxy simplifies attacks on Microsoft 365 and other cloud based platforms. It uses randomly generated URLs to make detection more difficult, and focuses on ease of use

“EvilProxy is a particularly dangerous PhaaS because it requires minimal technical expertise, making sophisticated phishing attacks accessible to a wider range of cybercriminals,” Prasad wrote.

A third service, Sneaky 2FA, was used in 3% of PhaaS attacks at the start of the year. The toolkit, which again targets Microsoft 365 accounts, can bypass two-factor authentication, and has features enabling it to better target potential victims.

Telltale signs of phishing attacks orchestrated via these tools include a “.ru” domain, unusual MFA prompts, malformed URLs or addresses containing a 150 alphanumeric string followed by either /verify, /index or /validate.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.