- Phishing-as-a-Service (PhaaS) is skyrocketing, making sophisticated phishing attacks accessible to all cybercriminals. Learn how this "subscription model" for cybercrime fuels a dramatic rise in threats.
- Combat PhaaS with a robust email security strategy, including layered defenses and a secure email gateway. Discover essential protocols to protect your organization from increasingly advanced phishing campaigns.
- Trustwave MailMarshal offers advanced email security, employing AI-driven PhishFilter and URLDeep technologies to detect and block over 99.99% of email-based threats, including elusive PhaaS attacks.
The cybersecurity threat landscape is constantly evolving, and Trustwave SpiderLabs has noted one of the fastest-growing threats is Phishing-as-a-Service (PhaaS). PhaaS platforms have become the go-to tool for cybercriminals to launch sophisticated phishing campaigns targeting the general public and businesses.
Much like legitimate software-as-a-service platforms, PhaaS offers cybercriminals subscription-based access to powerful phishing tools—without requiring advanced technical skills. As these platforms grow more sophisticated and accessible, they're fueling a dramatic rise in phishing attacks worldwide.
The positive news is that standard email security protocols, along with a layered defensive approach that includes a secure email gateway, can help protect your organization.
What Is Phishing-as-a-Service and How Does It Work?
Phishing-as-a-Service (PhaaS) is a business model that allows cybercriminals to purchase or rent ready-made phishing kits and infrastructure. Instead of creating fake login pages, email templates, or delivery systems from scratch, attackers can subscribe to PhaaS platforms that provide everything they need to launch a phishing campaign—quickly and at scale.
Most PhaaS services include:
- Clone websites of major brands like Microsoft, Google, or financial institutions
- Pre-written email or SMS templates designed to lure victims
- Mass-emailing tools to distribute phishing messages
- Real-time dashboards to track stolen credentials or data
- Customer support (yes, even criminals have help desks) to guide users on setup or troubleshooting
With just a few clicks, even low-skilled hackers can launch convincing phishing attacks designed to steal usernames, passwords, financial data, or company secrets.
Who's Using PhaaS and Why?
PhaaS is attractive to a wide range of cybercriminals—from lone scammers to organized cybercrime groups. Low-level attackers see it as an easy and affordable way to enter the cybercrime world. More advanced threat actors, including ransomware gangs, use phishing as an initial entry point into corporate networks.
The real appeal of PhaaS lies in its accessibility and cost-effectiveness. Users don't need to write code, bypass security systems, or manage complex infrastructures. Instead, they pay a fee—often as little as a few hundred dollars—to access a phishing toolkit that does most of the heavy lifting.
And because phishing attacks continue to be surprisingly effective, PhaaS is also highly profitable. Stolen credentials can be sold on the dark web, used to commit fraud, or leveraged in follow-up attacks like ransomware deployments.
For more on why PhaaS has become so appealing, SpiderLabs recently published a deeper dive in their blog: Why Do Criminals Love Phishing-as-a-Service Platforms?
Why Is PhaaS Growing—And How Do We Stop It?
The rise of PhaaS can be attributed to three major factors:
- It's easy and cheap: Many phishing kits are sold on underground forums at low prices. These kits are regularly updated to evade detection and come with detailed instructions, as well as customer support.
- It scales effortlessly: PhaaS platforms enable malicious users to target thousands of victims simultaneously, often with minimal effort.
- It delivers results: With credential theft, account takeovers, and financial fraud still common outcomes, phishing continues to be a reliable attack vector for cybercriminals.
Stopping PhaaS isn't simple—but it's also not impossible. The first line of defense is user education. Organizations should invest in regular security awareness training to help employees recognize phishing emails and suspicious links.
Next, companies must implement stronger authentication protocols. Multi-factor authentication (MFA), for example, can prevent unauthorized access even if a password is stolen.
Finally, organizations should use advanced email and threat detection tools that can identify and block phishing attempts before they reach end users.
A Look at Current Trends: Tycoon2FA and More
While precise statistics on PhaaS are hard to come by, recent threat intelligence points to a surge in activity around specific platforms. One of the most prominent is Tycoon2FA, a PhaaS platform that uses sophisticated evasion tactics to bypass two-factor authentication (2FA).
Our team has covered this platform in detail in recent blogs:
Other emerging PhaaS platforms include:
- Rockstar 2FA – Known for its widespread email campaigns
- Greatness – A phishing kit with a sleek interface and wide adoption
As PhaaS continues to evolve, the cybersecurity community must stay one step ahead with proactive defenses, better training, and real-time threat intelligence.
How Trustwave MailMarshal Protects Clients from Phishing Attacks
Trustwave MailMarshal is a layered defense solution capable of detecting in excess of 99.99% of all email-based threats. The security solution uses tools such as PhishFilter and URLDeep to maintain the safest possible email environment for our clients.
PhishFilter is a proprietary filter developed and maintained by SpiderLabs Research that adds an additional layer of defense against phishing messages.
URLDeep is a phishing URL classifier and is one of the tools used by PhishFilter to identify suspect URLs within emails. URLDeep is based on Deep Learning techniques and is trained on a huge corpus of previously discovered phishing URLs. This information allows URLDeep to calculate the probability of a URL being phishing-related and then feed this intelligence into the PhishFilter.
For Microsoft organizations, Trustwave MailMarshal Integrated Cloud enhances your Microsoft email security environment. MailMarshal Integrated Cloud is a cloud-native solution that provides a seamless, API-led security layer, enhancing resilience against sophisticated email threats and making it easier for organizations operating in a Microsoft 365 environment to create a layered defense.
Trustwave MailMarshal's Defensive Methodology
MailMarshal runs every inbound email through 11 separate layers to help protect against spam, email-delivered malware, phishing, and BEC attacks on-premise and in the cloud.
The layers are:
- IP ReputationSpamProfiler
- Email Threats
- Advanced Malware and Exploit Detection
- Antivirus Engine
- SpamCensor
- BEC Filter
- PhishFilter+URLDeep
- Suspect URLs
- Sandbox
- Email Policy Settings
Each of the millions of emails that arrive daily in MailMarshal is broken down into its component parts, including the message header, message body, raw HTML, URLs, images, and attachments, which are then examined to identify any potential threats.
As MailMarshal processes emails, the system scores each item, and if a certain threshold is reached, the email is flagged or quarantined. This activity all happens in milliseconds and does not slow down email processing. Additionally, real-time URL scanning is performed when a user clicks on a link in a delivered email to ensure its safety.
