What is phishing-as-a-service (PhaaS)?

Phishing as a service, or PhaaS, is a cybercrime model where phishing tools and infrastructure are sold or rented to other attackers, allowing them to run campaigns without building anything themselves. Instead of creating fake login pages or delivery systems from scratch, buyers use ready-made kits and hosted services to steal information with minimal effort. The National Institute of Standards and Technology describes phishing as “convincing messages that trick people into opening harmful links, downloading malware, or submitting credentials,” while Microsoft says PhaaS platforms provide attackers with prebuilt lures, infrastructure, support, and adversary in the middle tools to carry out credential theft at scale.

Understanding phishing-as-a-service

PhaaS turns phishing into an organized business model where one group builds and maintains the tools while others use them to run attacks. Operators manage the infrastructure, updates, and templates, and sometimes even provide support, while downstream criminals launch campaigns using the platform. Microsoft reported that Tycoon2FA gives attackers a “suite of capabilities, support, and ready-made lures and infrastructure,” including adversary in the middle phishing that can bypass multi-factor authentication. The Hacker News noted that services like Lucid and Lighthouse charge subscription fees for phishing kits with prebuilt templates impersonating hundreds of brands. Microsoft also said Tycoon2FA “allowed criminals with limited expertise to run sophisticated impersonation campaigns,” while Hacker News noted that modern PhaaS kits make phishing easier to carry out without deep technical knowledge. The model separates development, hosting, and delivery, allowing phishing campaigns to scale more efficiently.

The impact of phishing-as-a-service

PhaaS has driven both the volume and consistency of phishing attacks, with the Federal Bureau of Investigation reporting that phishing and spoofing were the top cybercrimes by complaint volume in 2024. Proofpoint’s 2024 State of the Phish report found that 71% of organizations experienced at least one successful phishing attack in 2023, while reports of direct financial penalties tied to phishing rose 144% and reputational damage increased by 50%. The broader impact goes beyond stolen credentials, as Microsoft stated in its March 2026 analysis of Tycoon2FA that attacks linked to the platform “had delayed paychecks, rerouted invoices, stolen sensitive data, locked up networks, and interrupted patient care.” The same report connected these campaigns to follow on threats such as ransomware, business email compromise, and financial fraud, showing how PhaaS often serves as an initial access point rather than the end goal.

How phishing-as-a-service works

Most PhaaS operations follow a structured model. Developers build phishing kits that imitate real login pages and capture credentials or session tokens, then distribute them through criminal marketplaces with setup guides, support, and subscription-style pricing similar to legitimate software. Attackers subscribe, customize the lure, and launch campaigns using built-in infrastructure or external delivery services. Microsoft said Tycoon2FA “was designed, supported, and advertised by a dedicated operator” and operated alongside services for mass email delivery, hosting, malware distribution, and access monetisation. Netcraft reported in its 2025 research on Lucid and Lighthouse that more than 17,500 phishing domains were linked to the platforms, targeting 316 brands across 74 countries, and that Lighthouse offered subscription pricing from $88 per week to $1,588 per year, showing how some phishing operations now function like commercial products with ongoing updates and repeat customers.

Types of PhaaS platforms

Not every phishing as a service platform works the same way. Some offer basic phishing kits that copy login pages to collect usernames and passwords, while others include adversary in the middle capability, which lets attackers capture login details and session tokens in real time. Microsoft said Tycoon2FA included AiTM phishing designed to bypass multi-factor authentication, and the Canadian Centre for Cyber Security described phishing kits as “preassembled tools that let threat actors easily create fake websites and harvest user information.” There are also more specialized platforms focused on mobile fraud and regional scams. Lucid supported campaigns targeting toll operators, governments, postal services, and financial institutions, while Lighthouse was frequently updated and could steal two-factor authentication credentials using customizable templates. The shift shows phishing as a service now operates across multiple industries, languages, and attack methods, rather than relying on a single fake login page.

Why phishing-as-a-service is harder to stop

PhaaS makes phishing harder to stop because it combines scale, reuse, and specialization, allowing multiple attackers to use the same infrastructure, templates, and evasion methods. According to Microsoft, “Tycoon2FA was responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month worldwide,” and by mid 2025, “it accounted for about 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month.” Reporting from GBHackers points in the same direction, stating that June 2025 was its largest month for PhaaS detections, with 13.5% of phishing hostnames linked to tracked PhaaS platforms. When a growing share of phishing activity comes from reusable service platforms instead of one-off kits, defenders face a more scalable and persistent threat model.

Recognizing PhaaS-driven phishing attempts

From a victim’s perspective, a PhaaS attack can look like a legitimate, well-crafted message. According to the National Institute of Standards and Technology, phishing emails are “designed to look like they come from a trusted source” and often pressure users into clicking links, downloading files, logging into accounts, transferring money, or sharing sensitive information, with AI making them more convincing. Warning signs rely more on context than appearance, such as urgency, unusual sender addresses, suspicious links or attachments, and unexpected requests for sensitive data, and NIST advises verifying requests through trusted contact details rather than replying directly. Reducing risk requires layered controls beyond awareness training, including teaching employees how to identify and report phishing across email, texts, calls, and social media, along with stronger protections in tools like Microsoft Office 365, such as Safe Links, zero-hour auto purge, and tighter security settings to detect and remove threats. Identity controls are also necessary, as highlighted by Microsoft reporting on Tycoon2FA, which shows some platforms can capture enough data in real time for attackers to act as legitimate users, making phishing-resistant multi-factor authentication, verification workflows, and monitoring for suspicious logins that much more important.

In the news

A phishing-as-a-service network known as RaccoonO365 has been disrupted after Microsoft seized 338 domains used to target healthcare providers and other organizations. According to Microsoft’s Digital Crimes Unit (DCU), the operation enabled attackers to steal Microsoft 365 credentials and was used to harvest at least 5,000 login details, including accounts linked to staff at more than 20 US healthcare organizations. The service operated as a subscription model, offering phishing kits that impersonated official Microsoft messages and directed victims to fake login pages where credentials were captured and later used for further attacks, such as malware or ransomware. RaccoonO365 has been active since at least July 2024, with subscriptions costing under $12 per day and allowing users to send up to 9,000 phishing emails daily, alongside newer AI-enhanced features designed to improve targeting and bypass multi-factor authentication. Investigators linked the operation to Joshua Ogundipe in Benin City, Nigeria, who allegedly developed and sold the kits via Telegram, generating over $100,000 in revenue, with identification aided by a cryptocurrency wallet tracing error. Health Information Sharing and Analysis Center and Microsoft have filed a civil lawsuit in a New York federal court, citing violations of multiple US laws, while Microsoft’s Steven Masada said, “We are integrating blockchain analysis tools like Chainalysis Reactor into our investigations,” explaining how such tools help connect cryptocurrency activity to real-world identities.

Why email remains the primary vector and what can be done

PhaaS continues to succeed because they exploit email, which is the most widely used communication channel in healthcare, with appointment reminders, patient follow-ups, internal alerts, and external communication all flowing through inboxes, making it easier for attackers to blend in. Because email sits at the center of these workflows, credential theft is often the first step in a broader attack, allowing threat actors to expand access, move across connected systems, or introduce ransomware and data theft. According to Microsoft Threat Intelligence, in healthcare environments, most observed malicious activity is linked to phishing campaigns delivered via email, and “email remains one of the largest vectors for delivering malware and phishing attacks.” As phishing kits become more widespread, inbound email security plays a larger part in defense strategies, with AI-driven tools identifying patterns linked to credential harvesting and blocking suspicious messages before staff engage with them. Solutions like Paubox Inbound AI use real-time analysis of content, sender behavior, and links to reduce exposure to phishing attempts, helping limit how often attackers can use email as their entry point.

FAQs

What is phishing-as-a-service?

Phishing-as-a-service is a criminal model in which ready-made phishing tools, templates, infrastructure, and support are sold or rented to other attackers so they can launch phishing campaigns more easily.

How is PhaaS different from ordinary phishing?

Ordinary phishing describes the attack itself. PhaaS describes the business model behind many of those attacks, where developers and operators provide phishing capability as a reusable service for other criminals.

Can PhaaS bypass MFA?

Some platforms can. Microsoft said Tycoon2FA included adversary-in-the-middle functionality designed to circumvent MFA protections by capturing credentials and authentication data in real time.

Why is PhaaS growing so quickly?

It lowers the skill barrier, offers reusable infrastructure, and allows criminals to subscribe to phishing capability instead of building it themselves. Netcraft and Microsoft both describe a more commercial, service-based phishing ecosystem that is getting easier to reuse at scale.

How can organizations reduce PhaaS risk?

Use layered defenses: user reporting, separate verification for sensitive requests, stronger email filtering, phishing-resistant MFA where possible, and monitoring for suspicious post-login activity. NIST and Microsoft both point to these kinds of controls as practical defenses.