New PhaaS kits boost phishing threats with advanced tools

The latest research from Barracuda has highlighted the significant rise and evolution of Phishing-as-a-Service (PhaaS) kits, which are empowering cyber attackers with advanced tools and templates to deploy phishing campaigns more swiftly and effectively.

Barracuda's analysis indicates that approximately 30% of credential attacks in 2024 involved the use of PhaaS kits. This figure is expected to increase to 50% in 2025. The developers behind these kits are consistently enhancing their platforms with tactics designed to evade modern security measures.

One of the PhaaS platforms under Barracuda's observation is Tycoon, particularly its more recent iteration known as Tycoon 2FA.

Originally popular since August 2023, the kit evolved to bypass multifactor authentication by exploiting Microsoft 365 session cookies. The updated version, first identified in November 2024, incorporates sophisticated mechanisms to hinder detection by security tools.

Some of these advancements include using legitimate, albeit possibly compromised, email accounts for attacks, along with specially crafted source code that makes web page analysis challenging. Furthermore, Tycoon 2FA implements strategies to detect and block automated scripts and tools often used by security professionals.

"Tycoon 2FA allows attackers to intercept and bypass multilayered security measures designed to protect accounts. By targeting and exploiting vulnerabilities in the 2FA process, attackers can gain unauthorised access to otherwise secure accounts," the report noted.

Researchers have observed significant changes in how phishing emails deploy in this latest version.

Legitimate email identities potentially compromise the phishing emails' origins, complicating detection and prevention efforts.

Additionally, Barracuda has observed modifications in the source code of fake login pages associated with Tycoon 2FA. Traditionally, such codes employ JavaScript resources, but the new version instead incorporates a unique script function to obstruct analysis.

The updated Tycoon 2FA code also reacts to keystrokes, often used by developers during web inspections, disrupting any investigatory actions and redirecting users attempting to access developer tools.

For instance, if tools are detected, users may be redirected to legitimate sites like OneDrive.

Other disruptive features in the new version include the disabling of right-click menus that could reveal a website's authentic purpose and implementing code obfuscation to hinder readability.

Further hindrances observed include the automatic overwriting of clipboard content to prevent the extraction of information, marking a notable change in Tycoon 2FA's tactics.

The research stresses that as of 2025, phishing represents a complex and adeptly developed threat. Examining these threats, Barracuda underscores the importance of evolving security tools in line with emerging patterns to safeguard against such attacks.

"We have observed Tycoon 2FA used in numerous phishing campaigns over the past months. We expect cyber attackers to continue to refine their methods to circumvent traditional security measures and thwart deeper analysis."

"It is essential to have agile, innovative, multilayered defence strategies and foster a strong security culture to stay ahead of this ever-evolving threat," the spokesperson detailed in the research analysis.