Rise of Phishing-as-a-Service (PhaaS)

Phishing protection is more critical than ever as phishing attacks become easier to launch. The rise of Phishing-as-a-Service (PhaaS) has made sophisticated phishing kits available to anyone. no technical skills required. In 2025, PhaaS platforms have become even more advanced, enabling attackers to launch large-scale, highly effective phishing campaigns. Without strong phishing protection in place, SMBs are increasingly vulnerable to these evolving threats.

Check out five real examples showing how serious, and simple, this threat has become.

1. Robin Banks: Targeting Financial Institutions Globally

Robin Banks is a PhaaS platform that provides ready-made phishing kits targeting major financial institutions worldwide. Here, cybercriminals are segmenting the market and targeting a specific sector.

Robin Banks has been linked to a significant increase in phishing incidents in the financial sector, offering user-friendly interfaces that make it accessible to individuals with minimal technical knowledge. The platform's kits often include features like reCAPTCHA and user-agent string checking to enhance their effectiveness.

2. Tycoon 2FA: Dominating Early 2025 Phishing Campaigns

Tycoon 2FA emerged as a leading PhaaS platform in early 2025, responsible for 89% of detected phishing incidents during the first two months of the year. It specializes in harvesting Microsoft 365 session cookies to bypass multi-factor authentication (MFA), employing advanced evasion techniques like AES encryption and browser fingerprinting to avoid detection.

3. EvilProxy: Facilitating MFA Bypass Through Reverse Proxy

EvilProxy is a PhaaS platform that enables attackers to conduct adversary-in-the-middle (AiTM) attacks, allowing them to intercept credentials and session cookies even when MFA is enabled. It uses reverse proxy configurations to mimic legitimate login pages, making it challenging for users to distinguish between real and fake sites.

4. Sneaky 2FA: Targeting Microsoft 365 Users with AiTM Attacks

Sneaky 2FA is a newer entrant in the PhaaS landscape, accounting for 3% of attacks in early 2025. It targets Microsoft 365 users by pre-filling phishing forms with victims' email addresses and employing AiTM techniques to bypass MFA. The platform also uses Telegram for data exfiltration and employs redirection tactics to avoid detection by security tools. 

5. Darcula: Exploiting Mobile Messaging Platforms

Darcula is a Chinese-language PhaaS platform used in phishing attacks across over 100 countries. It leverages iMessage and Rich Communication Services (RCS) to deliver phishing messages targeting Android and iPhone users. Darcula offers over 20,000 counterfeit domains and 200 templates to impersonate various brands and services.

These examples highlight how phishing tools are becoming more sophisticated and accessible, posing serious threats to SMBs.

Phishing-as-a-Service (PhaaS) makes advanced tactics available to low-level attackers, offering built-in evasion techniques, real-time phishing pages, and MFA bypass tools. Phishing attacks launched from Phishing-as-a-Service (PhaaS) platforms are just as dangerous and often even more dangerous than those launched by skilled, individual attackers.

With easy access and powerful automation, SMBs now face a steady stream of polished, credible threats, not just basic scams. Traditional defenses aren’t enough; organizations must treat every email as a potential threat and invest in AI-powered email security and security awareness training to stay protected.

Ready to strengthen your defenses? Discover the powerful protection and rapid remediation TitanHQ offers for Microsoft 365, stay ahead of today’s most sophisticated phishing threats. Get a free demo and see it in action.