Phishing-as-a-service kits drive surge in 2025 scams

Barracuda has reported a sharp rise in the use of phishing-as-a-service kits, saying the number of known kits in active use doubled during 2025 and featured in the overwhelming majority of phishing campaigns the company observed.

Barracuda said 90% of phishing campaigns it tracked during the year used phishing-as-a-service, often referred to as PhaaS. The model packages tools, templates and infrastructure for criminals. It lowers the barrier to entry for would-be attackers and increases the volume of campaigns targeting organisations and individuals.

The company's threat research highlighted a mix of newer operators and longer-running groups. Barracuda pointed to newcomers, including Cephas, Whisper 2FA and GhostFrame. It also cited established groups such as Mamba and Tycoon.

Barracuda said each kit sat behind millions of attacks. It described a competitive environment in which groups iterate quickly and add features that reduce detection by security tools and users.

Shifting tactics

Alongside the growth in kit numbers, Barracuda reported a concentration around a small set of tactics that appeared frequently across campaigns. The most common techniques centred on bypassing security controls and disguising malicious destinations.

Barracuda said multifactor authentication bypass was featured in 48% of attacks. The company cited methods such as stolen session cookies and social engineering approaches that persuade targets to reveal information or approve a login. These techniques aim to defeat controls that many organisations treat as a strong defence against account takeover.

URL obfuscation also appeared in 48% of attacks, Barracuda said. The company referenced techniques such as open redirects. It also cited human verification steps that resemble legitimate checks. These methods seek to reduce the chance that automated systems or users recognise a link as suspicious.

CAPTCHA abuse featured in 43% of attacks, according to Barracuda. CAPTCHAs can make malicious pages look more legitimate to users. They can also act as a gate that changes what security scanners see compared with a real victim's browser session.

Barracuda said polymorphic techniques and the use of malicious QR codes each appeared in around 20% of attacks. It highlighted split and nested QR codes. It also pointed to polymorphic attacks that change characteristics over time. These approaches can complicate detection and blocking.

Malicious attachments appeared in 18% of attacks, Barracuda said. It also reported the abuse of trusted online platforms in 10% of attacks. It cited the use of generative AI tools, including zero-code development sites, in another 10% of attacks.

Common lures

Barracuda noted the most common themes in phishing emails stayed consistent with previous years, even as criminals updated their presentation and language. The company said attackers increasingly mimic known brands. It said they copy logos and website layouts with higher accuracy than in the past.

Payment and invoice fraud remained the most common lure, according to Barracuda. It accounted for 19% of phishing emails the company analysed. These messages commonly attempt to push recipients into urgent action, such as paying a bill, updating bank details, or reviewing a payment request.

Digital signature and document review messages accounted for 18% of attacks, Barracuda said. It cited the use of trusted brands, including DocuSign and Microsoft. These lures often direct victims to credential-harvesting pages that mimic document portals.

Voicemail scams accounted for 15% of attacks, Barracuda said. HR-related scams came next at 13%. These messages can reference benefits, payroll, and employee documentation. They often target internal processes and rely on the familiarity of routine administrative communications.

Security impact

The findings add to the picture of a market in which commodity tooling supports large-scale cybercrime operations. For security teams, the shift means a higher baseline of sophistication across campaigns, even when the operator behind an email has limited technical skill.

Barracuda's data also suggests attackers increasingly focus on bypassing the controls that organisations deploy widely, such as multifactor authentication and email filtering. The frequent use of CAPTCHA abuse and URL obfuscation points to techniques designed to evade both automated scanning and human scrutiny.

"Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale," said Ashok, Sakthivel, Director, Software Engineering at Barracuda.

"The kits feature techniques designed to make it harder for users and security teams to detect and prevent fraud. To stay protected, organisations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy," Sakthivel added.

Barracuda said it expects the high level of phishing-as-a-service kit usage to continue through 2026.