There was a time when launching a phishing campaign required genuine technical skill. An attacker needed to register domains, build convincing web pages, configure mail servers, and evade spam filters — all while covering their tracks. That era is over. Welcome to the age of Phishing-as-a-Service (PhaaS), where launching a sophisticated phishing operation is as simple as subscribing to a platform and choosing a template.

TL;DR — Key Takeaways

  • Discover how Phishing-as-a-Service platforms are democratising cybercrime with subscription kits and analytics, and how your organisation can stay safe
  • Learn about what Exactly Is Phishing-as-a-Service?
  • Assess inside a PhaaS Operation

Visual Overview

flowchart LR
    A["Dark Web Marketplace"] --> B["PhaaS Kit Purchased"]
    B --> C["Customise Templates"]
    C --> D["Launch Campaign"]
    D --> E["Harvest Credentials"]
    E --> F["Sell or Exploit"]

PhaaS represents one of the most significant shifts in the cybercrime landscape in recent years. By packaging the tools, infrastructure, and expertise required for phishing into subscription-based platforms, criminal entrepreneurs have dramatically lowered the barrier to entry. The result is a surge in phishing volume and sophistication that affects organisations of every size — and understanding the anatomy of these attacks has never been more important.

What Exactly Is Phishing-as-a-Service?

Phishing-as-a-Service operates on the same business model as legitimate Software-as-a-Service (SaaS) platforms. Developers build and maintain the tools; customers pay a subscription fee to use them. The key difference, of course, is that the "service" is designed to steal credentials, deploy malware, and defraud victims.

A typical PhaaS platform provides its subscribers with a comprehensive toolkit:

  • Pre-built phishing templates: Pixel-perfect replicas of login pages for major services such as Microsoft 365, Google Workspace, banking portals, and social media platforms. These templates are regularly updated to match the latest design changes.
  • Email templates: Professionally written phishing emails in multiple languages, designed to bypass spam filters and exploit current events, seasonal themes, or common business scenarios.
  • Hosting infrastructure: Bulletproof hosting that resists takedown requests, automatic domain rotation, and SSL certificates that make phishing sites appear legitimate.
  • MFA bypass tools: Adversary-in-the-middle proxy servers that intercept authentication tokens in real time, defeating multi-factor authentication by capturing the session cookie after the victim completes their legitimate login.
  • Analytics dashboards: Real-time statistics showing how many emails were sent, opened, and clicked, along with the number of credentials harvested — eerily similar to the marketing dashboards used by legitimate businesses.
  • Customer support: Many PhaaS operators offer Telegram-based support channels, tutorials, and even money-back guarantees.

The Subscription Economy of Cybercrime

PhaaS subscriptions typically range from $50 to $500 per month, depending on the features included. Some platforms offer tiered pricing — a basic plan might include email templates and hosting, whilst premium plans add MFA bypass capabilities and dedicated support. A few even offer revenue-sharing models where the platform takes a percentage of the proceeds from successful attacks rather than charging an upfront fee.

The economics are staggering. A $200 monthly PhaaS subscription can yield tens of thousands of stolen credentials, each worth between $5 and $50 on dark web marketplaces — or far more if used to access corporate accounts for business email compromise.

Inside a PhaaS Operation

To understand the threat, it helps to walk through how a PhaaS-enabled attack unfolds from the attacker's perspective.

Step 1: Choose Your Target and Template

The attacker logs into their PhaaS dashboard and selects a phishing template. For a campaign targeting businesses, they might choose a Microsoft 365 login page. The template is pre-configured with realistic branding, error messages, and even loading animations that mirror the genuine login experience.

Step 2: Configure the Campaign

The platform automatically provisions a phishing domain — often a convincing lookalike such as "microsoft-security-update[.]com" — and deploys the phishing page with a valid SSL certificate. The attacker uploads or inputs their target email list, which may have been purchased from another dark web service or compiled through credential stuffing data from previous breaches.

Step 3: Launch and Monitor

With a single click, the campaign launches. The platform sends phishing emails through its distributed infrastructure, rotating sender addresses and domains to evade detection. The attacker monitors results through a real-time dashboard, watching as victims land on the phishing page, enter their credentials, and complete MFA challenges — all captured by the adversary-in-the-middle proxy.

Step 4: Harvest and Exploit

Stolen credentials and session tokens are delivered to the attacker's dashboard, ready for immediate use. Some platforms even automate the next steps — logging into the compromised accounts, exfiltrating emails, or launching business email compromise attacks from the hijacked mailboxes.

Major PhaaS Platforms and Their Impact

Several PhaaS platforms have gained notoriety for their scale and sophistication. Understanding them helps illustrate the maturity of this criminal ecosystem.

EvilProxy

One of the most prominent adversary-in-the-middle PhaaS platforms, EvilProxy specialises in bypassing MFA for services including Microsoft 365, Google, and Apple. Its reverse-proxy architecture sits between the victim and the legitimate login page, capturing session tokens in real time. Researchers have linked EvilProxy to campaigns targeting senior executives across hundreds of organisations.

Caffeine

Notable for its remarkably low barrier to entry, Caffeine allows anyone to create an account without even requiring an invitation or referral from existing users. Its open registration model means that aspiring cybercriminals can begin launching phishing campaigns within minutes of discovering the platform.

Greatness

Specifically targeting Microsoft 365 users, Greatness provides a complete phishing toolkit including pre-filled victim email addresses on phishing pages, MFA bypass through Telegram bot integration, and IP filtering to evade security researchers. Its $120 monthly subscription has made it one of the most widely deployed PhaaS kits.

Why Small Businesses Are Disproportionately Affected

The democratisation of phishing has particularly severe implications for small and medium-sized organisations. Before PhaaS, many SMBs were simply not worth the effort for attackers who had to invest significant time in each campaign. Now, with near-zero marginal cost per target, attackers can cast an extraordinarily wide net.

  • Limited security budgets: SMBs often lack enterprise-grade email security solutions, making them more vulnerable to PhaaS campaigns that are specifically designed to evade basic filters.
  • Smaller IT teams: Without dedicated security staff, suspicious emails may go uninvestigated and compromised accounts may remain undetected for longer periods.
  • Supply chain value: Attackers recognise that compromising a small business can provide a stepping stone into larger organisations through supply chain attack vectors.
  • Credential reuse: Employees at smaller organisations are more likely to reuse passwords across services, meaning a single stolen credential can unlock access to multiple systems.

Defending Against Commoditised Phishing

The industrialisation of phishing demands an equally systematic approach to defence. Here are the measures that matter most.

Deploy Phishing-Resistant Authentication

Standard MFA is no longer sufficient against PhaaS platforms that include adversary-in-the-middle capabilities. Organisations should migrate to phishing-resistant MFA methods such as FIDO2 security keys or passkeys. These methods use cryptographic binding to the legitimate domain, making them immune to proxy-based interception because the authentication token is tied to the genuine URL.

Implement Advanced Email Security

Move beyond basic spam filtering to AI-powered email security gateways that analyse behavioural patterns, sender reputation, and content anomalies. Ensure that DMARC, SPF, and DKIM are properly configured to prevent domain spoofing. Consider deploying browser isolation technology that renders email links in a sandboxed environment, preventing credential theft even if an employee clicks a phishing link.

Continuous Security Awareness Training

With phishing becoming more convincing, employee training must evolve accordingly. Regular phishing simulations that mimic real PhaaS campaigns help employees recognise current attack patterns. Training should emphasise that even legitimate-looking pages with valid SSL certificates can be fraudulent — the padlock icon does not guarantee safety.

Critically, training must move beyond "spot the dodgy email" exercises. Employees need to understand why they are being targeted, how modern phishing emails are designed to exploit psychological triggers, and what to do when they are unsure about a communication's legitimacy.

Monitor for Credential Exposure

Since PhaaS campaigns harvest credentials at massive scale, many stolen credentials end up on dark web marketplaces. Implementing dark web monitoring allows organisations to detect when employee credentials appear in breach databases or criminal forums, enabling rapid password resets before the credentials are exploited.

Establish Clear Reporting Procedures

Ensure every employee knows exactly how to report a suspected phishing email, and make the process as frictionless as possible. A well-designed reporting workflow with a single-click reporting button in the email client significantly increases reporting rates. Every reported phishing email is an intelligence opportunity — it reveals what campaigns are currently targeting your organisation and helps tune your defences.

The Bigger Picture: Cybercrime's Industrialisation

PhaaS is not an isolated phenomenon. It is part of a broader trend towards the industrialisation of cybercrime, where every component of an attack can be purchased as a service. Ransomware-as-a-Service, Malware-as-a-Service, and Initial-Access-as-a-Service all operate on similar subscription models. Together, they form a complete criminal supply chain where specialisation and division of labour mirror legitimate business ecosystems.

This industrialisation means that the volume and quality of attacks will continue to increase. Organisations cannot afford to treat phishing as a nuisance — it is a systematic, professional threat that demands equally professional defences.

When cybercrime operates like a business, your defence must operate like one too — with strategy, investment, continuous improvement, and above all, the recognition that the threat landscape changes every day.

The subscription economy of cybercrime is here to stay. But with the right combination of technology, training, and process, organisations can ensure that the return on investment for PhaaS attackers remains firmly negative. Start by auditing your current defences against the specific capabilities of modern PhaaS platforms, and build from there. Your cyber insurance application will thank you — and so will your employees.