adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Security Consulting
Strategy & Transformation
Security Engineering
Assessments
Threat Intelligence Exposure Management
Detection & Response
Managed SOC
Microsoft MDR Solution
Security Engineering
Incident Response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
March 17, 2025

Phishing-as-a-Service: The Cybercrime Subscription That Comes with a Help Desk

Phishing-as-a-service (PhaaS) has become a major driver of cybercrime, lowering the barrier for attackers by providing ready-made phishing tools and services. Even cybercriminals with little technical skill can now launch sophisticated attacks with ease. The threat is escalating rapidly, phishing messages surged by 202% in the second half of 2024, with credential phishing alone increasing by 703%.

Much like legitimate software-as-a-service (SaaS) platforms, PhaaS providers offer cybercriminals a complete toolkit, including pre-built phishing kits, user support, attack dashboards, and even credential storage – all available via subscription.

In the latest episode of Cyber Insiders, Adarma’s Threat Intelligence Specialist, Alison Frost, takes a deep dive into the rise of PhaaS, why it’s becoming more prevalent, and how organisations can defend themselves.

Listen to the full episode for deeper insights and practical strategies to combat this growing threat.

 

How PhaaS Works

Alison explains that PhaaS platforms are accessible via Telegram, dark web forums, and underground marketplaces. They provide cybercriminals with all the tools needed to execute phishing campaigns quickly and efficiently. These platforms offer a range of services, including:

  • Pre-built phishing kits: Templates that mimic legitimate login pages, including password reset forms, credit card entry fields, and even fake multi-factor authentication (MFA) prompts. 
  • Customer support: Just like a legal SaaS provider, these platforms offer user guidance, helping criminals navigate technical issues. 
  • Attack dashboards: Interfaces that allow attackers to monitor the success of their phishing campaigns in real-time. 
  • Credential storage: Stolen login details can be stored securely on the platform or sold to other criminals. 
  • Anti-detection features: Many phishing kits come with built-in evasion techniques to bypass email security filters. 

 

These services are surprisingly affordable, with some subscriptions costing as little as $200 for two weeks or $350 for a full month, an investment that can generate a high return for attackers.

The Groups Behind PhaaS

Several well-known PhaaS groups have been active in recent years, each offering unique capabilities. Some of the major players include:

DadSec: A widely used PhaaS platform that has been central to numerous phishing campaigns, particularly those leveraging QR code phishing, a method designed to bypass traditional email security filters by embedding malicious QR codes in attachments.

ONNX (formerly Caffeine): Specialises in targeting Microsoft 365 accounts, with a particular focus on employees in the financial sector. ONNX is known for distributing phishing attacks via PDF attachments containing QR codes, making detection more challenging.

Dracula Suites: Originally built for smishing (SMS-based phishing), Dracula Suites has evolved with the release of Dracula v3, incorporating credit card cloning tools, enhanced dashboards for tracking attack success, and new adversary-in-the-middle (AiTM) phishing capabilities.

Rockstar 2FA: An advanced evolution of the DadSec/Phoenix phishing kit, this tool is designed to bypass MFA by intercepting and stealing valid session cookies, allowing attackers to hijack user accounts without requiring passwords.

Tycoon 2FA: A prominent name in MFA bypass services, Tycoon 2FA is primarily used to steal session cookies from Microsoft 365 and Gmail accounts, effectively nullifying the security advantages of two-factor authentication.

Sneaky 2FA: One of the newer but fast-growing AiTM phishing kits, Sneaky 2FA is designed to compromise Microsoft 365 accounts, making it a significant concern for enterprises relying on cloud-based email services.

Who is Being Targeted?

Phishing attacks impact a wide range of industries, but certain sectors are particularly vulnerable due to the sensitive data they handle, including:

  • Financial services: Banks and payment processors are prime targets for phishing campaigns designed to steal credentials and authorise fraudulent transactions. 
  • Government agencies: Attackers frequently target government entities to gain access to confidential information and disrupt operations. 
  • Telecommunications: Mobile carriers and internet service providers are increasingly under attack, with cybercriminals exploiting them to intercept messages and compromise accounts. 
  • Utilities: Energy providers and water suppliers are targeted due to their role in critical national infrastructure. 
  • Aviation: Airlines and airports have become key targets for phishing campaigns that exploit their reliance on digital systems. 

How Can Organisations Defend Themselves?

With phishing techniques constantly evolving, organisations across all industries must remain vigilant. Phishing awareness training is a staple in corporate cybersecurity, but Alison stresses that traditional training methods are not enough. To keep up with evolving threats, organisations need to adopt a multi-layered defence approach. Some key recommendations include: 

  • Regularly update phishing awareness training: Employees should be informed about the latest tactics used by cybercriminals, including new delivery methods such as QR code phishing and Microsoft Teams-based attacks. 
  • Strengthen MFA policies: While MFA is a strong security measure, attackers are increasingly using AiTM techniques to bypass it. Organisations should implement phishing-resistant MFA solutions where possible. 
  • Monitor for credential leaks: Cybercriminals often store stolen credentials on PhaaS platforms. Proactive monitoring for compromised credentials can help prevent account takeovers. 
  • Enhance email security: Advanced email filtering solutions can help detect phishing attempts before they reach employees. 
  • Encourage incident reporting: Organisations should establish clear processes for employees to report suspected phishing attempts and ensure there is a dedicated team to respond to threats. 

Law Enforcement Efforts and the Future of PhaaS

Between April 14 and 17, 2024, law enforcement agencies from 19 countries, coordinated by Europol, successfully dismantled the LabHost phishing-as-a-service platform. The year-long investigation involved searches across 70 locations worldwide, leading to the arrest of 37 individuals, including four in the UK. Among those apprehended was the platform’s original developer.

On January 29, 2025, the FBI and Dutch National Police targeted a Pakistan-based cybercrime group known as Saim Raza or HeartSender, shutting down 39 domains linked to its phishing operations.

In a separate operation between January 28 and 30, 2025, German authorities, in collaboration with Europol and the FBI, dismantled two major cybercrime forums, Cracked and Nulled. These platforms, which had collectively amassed over 10 million users, served as hubs for trading stolen credentials, hacking tools, and other illicit services.

How Adarma Can Help

Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. We protect organisations in the FTSE 350, including those in CNI and other regulated sectors. We offer effective threat detection and incident response, acting as an extension of your team to enhance your security posture and optimise your security investments for maximum risk reduction.

Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations catering to our customers’ specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.

Let’s Talk

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.

 

 

Contact Us