Phishing-as-a-service kits doubled in 2025 as tactics evolve
In 2025, the number of known phishing-as-a-service (PhaaS) kits doubled in number, increasing the pressure on security teams trying to defend against this ever-evolving threat.
A new report from Barracuda shows new players such as Whisper 2FA and GhostFrame introduced inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code, while established groups such as Mamba and Tycoon also continued to evolve and thrive.
The most prevalent tools and techniques used by phishing kits in 2025 were: multifactor authentication bypass, seen in 48 percent of attacks; URL obfuscation techniques, also seen in 48 percent; the abuse of CAPTCHA for evasion, which featured in 43 percent of all attacks; polymorphic techniques and the use of malicious QR codes, each seen in around 20 percent of attacks.
In addition malicious attachments were used in 18 percent of all attacks, while the abuse of trusted online platforms was seen in 10 percent of attacks and the use of generative AI tools such as zero-code development sites also featured in 10 percent.
But although the tactics are changing the main themes used to lure victims in phishing emails are remarkably like previous years, although they have evolved with time thanks to the use of generative AI and other tools.
In 2025, one in five (19 percent) phishing emails related to payment and invoice scams. Digital signature and document review emails accounted for 18 percent of attacks, with HR-related documents featuring in 13 percent. Many exploited trusted brand names, mimicking websites and logos with increasing accuracy.
“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” says Ashok Sakthivel, director, software engineering at Barracuda. “The kits feature techniques designed to make it harder users and security teams to detect and prevent fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy.”
You can read more on the Barracuda blog.
Image credit: thodonal/depositphotos.com
