What is Phishing as a Service (PhaaS)?

Phishing as a Service is a subscription model in the cybercrime economy where attackers rent ready-to-use phishing infrastructure from a vendor instead of building their own. A PhaaS subscription typically bundles a credential-harvesting kit, sending infrastructure (mail relays, throwaway domains), an AiTM reverse proxy for MFA bypass, anti-detection features (CAPTCHA bypass, geofencing of analyst regions) and a template library that updates faster than defenders can blocklist. Pricing ranges from $50 to $500 per month for low-tier kits to thousands per campaign for premium AiTM platforms.

How did PhaaS change the phishing threat landscape?

Pre-2022, sophisticated phishing required attacker skills (domain registration, email infrastructure, custom templates, MFA bypass coding). Post-2022, PhaaS turned every step into a rented service. The skill barrier collapsed - any threat actor with a payment method can deploy AiTM-grade phishing the same day. Effect: campaign volume rose, lure-template freshness rose (PhaaS vendors update libraries to evade blocklists), and the previously-sophisticated attack class (AiTM/MFA-bypass) became the baseline rather than the upper bound. The result is that defender programs sized for 2018-2020 phishing under-defend against 2026 phishing.

Does standard MFA defeat PhaaS attacks?

No. Most PhaaS platforms ship with AiTM (Adversary-in-the-Middle) reverse-proxy capability that captures the session cookie post-authentication. Standard MFA (SMS code, TOTP authenticator app, push approval) all complete on the proxy and forward to the legitimate service in real time. The attacker imports the resulting cookie and is logged in. Phishing-resistant MFA (FIDO2 hardware keys, platform passkeys, certificate-based authentication) defeats PhaaS at the cryptographic layer because the challenge is bound to the legitimate origin - a proxy on a different domain cannot complete the challenge.

How does phishing simulation training help against PhaaS?

Two layers of impact. (1) Simulation training reduces click-through rate at the lure stage, which is the highest-leverage stage to defend - every subsequent stage is faster and more expensive to interrupt. PhaaS-generated lures look identical to legitimate vendor email; the recognition pattern users need is independent of who sent the lure. (2) Simulation programs that include AiTM-styled phishing templates (mismatched URL on a Microsoft-styled page, modern PhaaS-generated lures rather than 2018 templates) train recognition of what current attacks actually look like rather than legacy patterns. Programs that only test legacy lure styles miss the threat.

What defense layers actually work against PhaaS?

Stage 1 (delivery): email-gateway filtering plus user training calibrated to current PhaaS lure patterns plus phishing-resistant MFA on critical accounts. Stage 2 (credential harvest): browser isolation for high-risk users, URL rewriting at the gateway. Stage 3 (authentication): phishing-resistant MFA, conditional access requiring compliant device, anomaly-based identity protection that flags impossible-travel and post-login behavior anomalies. Stage 4 (session abuse): short-lived session tokens, periodic re-authentication, continuous-access evaluation. The complete program addresses each stage; cyber insurance assesses several at renewal.

Phishing as a Service (PhaaS): The Subscription Crime Model

Q: What are the major PhaaS platforms?

Tycoon (one of the most-deployed AiTM platforms in 2025-2026), EvilProxy (premium AiTM service), Greatness (Microsoft 365-focused, includes adversary-in-the-middle session-cookie capture), 16Shop (long-running credential-harvesting kit, multiple retailer brands), Caffeine (open-source AiTM framework, popular due to low operational cost). Most include managed infrastructure so the buyer doesn't need to register domains, configure mail servers or run their own proxy.

The crime economy graduated to SaaS

For most of phishing's history, sophisticated attacks required attacker skill at every layer. Domain registration, mail server configuration, template design, anti-detection coding, MFA-bypass research. The result: high-end phishing was rare, low-end phishing was sloppy and recognizable.

Phishing as a Service inverted that. PhaaS vendors bundle ready-to-use phishing infrastructure as a subscription product. A buyer with a payment method and minimal technical skill can deploy AiTM-grade phishing the same day. The skill barrier that used to gate sophisticated attacks collapsed; campaign volume and lure quality both rose. The post-2022 phishing threat landscape is shaped by this commoditization.

Bait & Phish glossary defines phishing kits as the building blocks (HTML, CSS, server scripts) that PhaaS platforms sell as managed services. Most modern kits include AiTM (Adversary-in-the-Middle) reverse-proxy capability for MFA bypass.

What's bundled in a PhaaS subscription

Modern PhaaS offerings bundle most or all of the following in a single subscription:

Credential-harvesting kit: Branded login-page clones (Microsoft 365, Google Workspace, banking, retail) updated to track current visual changes from legitimate vendors. Templates refresh faster than defender blocklists can keep up.
Sending infrastructure: Mail relays, throwaway domains, IP rotation. The subscriber doesn't register domains or configure mail servers; the PhaaS vendor manages that. Some platforms even handle SPF/DKIM compliance for the throwaway domains so emails pass authentication.
AiTM reverse proxy: The defining feature of premium 2024-2026 PhaaS. Sits between the victim and the real login service, harvests session cookies post-authentication, defeats standard MFA. Sometimes called "session-cookie phishing" in vendor marketing.
Anti-detection features: CAPTCHA bypass (so automated security scanners can't auto-detonate the lure), geofencing (lures hidden from analyst-region IPs like security-research-firm CIDR blocks), bot detection (lures hidden from headless browsers). Reduces blue-team automated takedown response.
Operational dashboard: Real-time view of how many targets clicked, who entered credentials, which sessions have cookies harvested. Some include built-in credential-stuffing infrastructure for follow-on account takeover.

Pricing varies widely. Low-tier credential kits are $50-$500 per month. Premium AiTM platforms (Tycoon, EvilProxy) charge thousands per campaign or higher monthly subscriptions for unlimited usage.

The major PhaaS platforms

The PhaaS ecosystem changes constantly as platforms get taken down and replaced. The named platforms below were active and widely-deployed in 2024-2026:

Tycoon - one of the most-deployed AiTM platforms. Microsoft 365 and Google Workspace targeted. Includes session-cookie capture, MFA bypass, throwaway-domain rotation. Operating since around 2023.
EvilProxy - premium AiTM service. Higher price point than Tycoon, advertises better anti-detection and longer-living infrastructure.
Greatness - Microsoft 365 specialist. Heavily focused on cloned M365 sign-in flows; includes adversary-in-the-middle for session capture.
16Shop - long-running credential-harvesting kit family. Multiple retailer brands cloned (Apple, Amazon, banking). Less AiTM-focused, more credential-stuffing-friendly.
Caffeine - open-source AiTM framework. Lower operational cost (no subscription) which makes it popular with low-budget threat actors. Defenders see the same attack patterns Caffeine generates as Evilginx-style proxies.

This list is not exhaustive and changes frequently. The pattern is what matters more than the specific platform names: rented sophistication, fast template refresh, AiTM included by default.

Why this changed the threat landscape

Before PhaaS, sophisticated phishing was rare because it required attacker skill. Defenders could expect a long tail of low-quality phishing (recognizable to trained users) plus a small head of high-quality attacks (rare enough that targeted-attack response procedures sufficed).

Post-PhaaS, sophistication is the baseline. The recognizable bad-grammar lures from 2018 still exist but they're a minority of campaign volume. The modal phishing email in 2026 has perfect grammar, accurate brand identity, current visual styling and an AiTM reverse-proxy backend. Recognition cues that worked in 2018 (typos, obviously-foreign sender, mismatched logos) miss the modal modern attack.

Defender programs sized for the older threat distribution under-defend against the current one. Our 2026 trends roundup covered this as one of the year's defining shifts; PhaaS commoditization is the underlying driver.

What this means for phishing simulation programs

Simulation programs need to refresh in three specific ways to address PhaaS-era phishing:

1. Update template libraries

Templates from 2018-2020 trained users on lure styles that are no longer the modal threat. Modern programs should include current PhaaS-style templates - cloned modern login flows, AiTM-styled fake sign-in pages, OAuth consent abuse patterns, modern brand-impersonation styles. Difficulty progression matters: users who easily catch legacy templates need to face current-PhaaS-pattern templates to actually train against the threat.

2. Test AiTM and MFA-bypass patterns specifically

MFA-bypass phishing requires its own simulation track. Users need to recognize the pattern: legitimate-looking sign-in page, mismatched URL, completes a real authentication ceremony. The recognition cue is the URL bar, not the page content (which the AiTM proxy renders identically to the legitimate service).

3. Include OAuth consent phishing

PhaaS-grade attacks often skip credential harvesting entirely and exploit OAuth consent flows in M365 / Workspace / SaaS apps. The user never types a password and MFA never prompts; they grant a malicious app permanent access by clicking Allow on a consent screen. Training has to teach what the consent screen actually means and which app permissions are dangerous. Our M365 phishing defense guide and Workspace phishing defense guide cover the platform-specific OAuth abuse patterns.

Technical defenses that meet PhaaS

Training closes the human-layer gap. Technical controls close the rest:

Phishing-resistant MFA (FIDO2 / passkeys / WebAuthn) on critical accounts defeats AiTM at the cryptographic layer. The challenge is bound to the legitimate origin; a proxy on a different domain cannot complete it. This is the single most consequential technical control against PhaaS.
Conditional Access requiring compliant device + trusted location for sensitive apps. Even if AiTM captures a session cookie, the conditional-access policy can block its use from an attacker-controlled IP on a non-compliant device.
Continuous-access evaluation shortens the window during which a stolen session cookie is useful. Token revocation on suspicious behavior cuts the post-compromise dwell time.
OAuth admin policy: admin-only consent for permissive scopes, verified-publisher allowlists, periodic audit of granted scopes. Blocks the consent-phishing path PhaaS-grade attackers use against M365 and Workspace tenants.
Anomaly detection: impossible-travel logins, mailbox-forwarding-rule changes (a common post-AiTM persistence move), unusual data-access patterns. Catches the post-compromise behavior even when the initial authentication succeeded.

Where Bait & Phish fits

The Bait & Phish platform supports current-PhaaS-pattern simulation templates as a first-class campaign category. Difficulty tier "hard" includes AiTM-styled cloned sign-in pages, OAuth consent abuse lures and modern brand-impersonation templates that mirror what current PhaaS platforms generate. Auto-assigned remediation fires when users click; the training module addresses the specific pattern they fell for. A free trial up to 25 users includes the full PhaaS-pattern template library; contact us for a walkthrough specific to your industry.

Frequently asked questions

What is Phishing as a Service?

A subscription model where attackers rent ready-to-use phishing infrastructure (kit, sending infrastructure, AiTM proxy, anti-detection) instead of building their own. Pricing $50-$500/month for low-tier kits; thousands per campaign for premium AiTM platforms.

What are the major PhaaS platforms?

Tycoon, EvilProxy, Greatness, 16Shop, Caffeine - all active 2024-2026. The list rotates as platforms get taken down and replaced.

Does standard MFA defeat PhaaS?

No. Most PhaaS includes AiTM reverse-proxy that captures session cookies post-authentication. SMS, TOTP and push approval all complete on the proxy. Phishing-resistant MFA (FIDO2 / passkeys) defeats it at the cryptographic layer.

How does training help against PhaaS?

Two layers: (1) reduces click rate at the lure stage (highest-leverage stage); (2) trains recognition of current-PhaaS-pattern lures (not legacy 2018 styles).

What technical controls work?

Phishing-resistant MFA, Conditional Access, continuous-access evaluation, OAuth admin policy, anomaly-based identity protection.

Related reading: Phishing Trends 2026 covers PhaaS as one of the year's defining patterns. MFA bypass phishing covers the AiTM and consent-phishing patterns PhaaS includes by default. Callback phishing (TOAD) covers the email-to-voice variant. The phishing & security awareness glossary defines all terms.