The Alarming Rise of Phishing-as-a-Service: What IT Leaders Need to Know

Recent research from Barracuda reveals a disturbing trend in the cybersecurity landscape: phishing-as-a-service (PhaaS) platforms launched over 1 million attacks in just the first two months of 2025. This commercialization of cybercrime has democratized sophisticated phishing capabilities, putting organizations of all sizes at risk.

Why PhaaS Should Be on Your Radar 🚨

The PhaaS model has transformed phishing from a specialized criminal activity into a turnkey service accessible to virtually anyone. Three platforms currently dominate this underground economy:

1. Tycoon 2FA: Responsible for 89% of detected PhaaS attacks, using encrypted scripts and Telegram for data exfiltration
2. EvilProxy: Accounting for 8% of attacks, specializing in cloud platform compromises
3. Sneaky 2FA: A newcomer targeting Microsoft 365 accounts with sophisticated MFA bypass techniques

What makes this trend particularly concerning is the dramatic increase in both volume and sophistication. Phishing attacks increased 198% in the second half of 2023, and the release of generative AI tools has fueled a staggering 1,265% increase in phishing emails since late 2022.

Multi-Factor Authentication Is No Longer Enough

Perhaps most alarming is how these PhaaS platforms are specifically designed to circumvent traditional security measures. All three major platforms explicitly target multi-factor authentication:

• They utilize adversary-in-the-middle techniques that capture authentication tokens
• They employ browser identification to customize attacks
• They check if targets are legitimate before launching, evading detection systems
• Some even exploit Microsoft 365's "autograb" functionality

In this evolving threat landscape, traditional security approaches alone cannot provide adequate protection.

Building a Multi-Layered Defense with Security Awareness Training

While technical controls remain essential, KnowBe4's Security Awareness Training offers a critical additional layer of protection against these advanced threats. Their comprehensive solution helps organizations:

• Create a human firewall: Through interactive training modules that address the latest PhaaS tactics
• Simulate real-world attacks: With phishing simulations that replicate EvilProxy, Tycoon 2FA, and other PhaaS platforms
• Track improvement: Using metrics that demonstrate reduced susceptibility to attacks over time
• Address multi-channel threats: Training that covers phishing across email, Microsoft Teams, Slack, SMS, and QR codes

The impact is measurable—organizations implementing KnowBe4's Security Awareness Training report up to 60% reduction in phishing susceptibility within 12 months, and 84% of US organizations confirm reduced employee vulnerability to phishing attacks.

Protecting Your Organization in the PhaaS Era

As PhaaS platforms continue to evolve, organizations need comprehensive defense strategies that combine technical controls with human-centered approaches:

1. Implement phishing-resistant authentication methods
2. Deploy email security tools that can detect sophisticated redirect links and QR code phishing
3. Apply conditional access policies to limit MFA devices per user
4. Update help-desk policies to prevent social engineering of MFA
5. Invest in ongoing security awareness training with KnowBe4

With the average cost of a phishing breach now reaching $4.88 million, can your organization afford to overlook the human element of cybersecurity? Book a demo of KnowBe4's Security Awareness Training today to see how you can transform your employees from your greatest vulnerability into your strongest defense against the rising PhaaS threat.

Contact Us Today