Stop unwanted interruptions before they stop your workflow. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeCybersecurity 101
Phishing

What Is Phishing-as-a-Service (PhaaS)?

Written by: Lizzie Danielson

Published: 9/12/2025

woman at laptop
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

Phishing didn't get harder to pull off. It got easier. A lot easier.

Phishing-as-a-Service (PhaaS) is a subscription-based cybercrime model where skilled threat actors package up everything needed to run a phishing campaign—fake login pages, email templates, hosting infrastructure, even customer support—and rent it out to anyone willing to pay. No coding required. No experience necessary. Just a subscription fee and a target.

It's cybercrime, democratized. And it's a problem you can't ignore.



Key Takeaways

  • PhaaS has removed the technical barrier to phishing. Threat actors with no hacking skills can now launch sophisticated credential theft campaigns by paying a monthly fee, the same way a business pays for software.

  • The volume and quality of attacks have both gone up. PhaaS operators compete to offer the most effective kits, constantly updating templates and evasion techniques to stay ahead of security filters.

  • Real-world PhaaS operations are already hitting businesses at scale. Huntress researchers uncovered the EvilTokens PhaaS platform actively targeting Microsoft 365 users across 340+ organizations in early 2026—using device code phishing to bypass MFA entirely.

  • Defending against PhaaS requires more than one control. Multi-factor authentication, email filtering, security awareness training, and identity threat detection all need to work together—because attackers are already anticipating your single-layer defenses.

Why PhaaS exists (and why it's not going away)

Think about how SaaS changed software. You don't need to build your own project management tool anymore, you just pay for one. PhaaS did the same thing for phishing.

Before PhaaS, pulling off a convincing phishing campaign took real work. You had to build fake websites, write believable email copy, set up hosting, and figure out how to evade spam filters—all without getting caught. That combination of skill and effort kept a lot of would-be criminals on the sidelines.

PhaaS changed the calculus completely.

Now, operators build and maintain the infrastructure. Customers, low-skill attackers, organized crime groups, even disgruntled insiders pay to use it. The operator makes money regardless of whether any individual campaign succeeds. The customer gets a polished, ready-to-go toolkit. And your organization gets another wave of convincing phishing emails to deal with.

That's the model. And it scales.


How a PhaaS operation actually works

PhaaS operators aren't just selling tools, they're running businesses. Here's what a typical operation looks like from the inside:

  • The infrastructure: A team of developers builds the phishing kit—convincing fake login pages for brands like Microsoft 365, Google Workspace, or your bank, plus the backend to capture stolen credentials. They set up hosting, dashboards, and distribution systems. Some even set up 24/7 customer support.

  • The storefront: The operator advertises on dark web forums and encrypted messaging platforms like Telegram. Pricing is typically tiered—you might pay for just email delivery, or pay more for token capture, spam filter bypass tools, and dedicated SMTP relays.

  • The campaign: A customer—call them a buyer—logs into their dashboard, picks a target and a template, and hits send. The PhaaS platform handles delivery and hosts the fake page. When a victim enters their credentials, the data lands directly in the buyer's dashboard.

  • The payout: The buyer gets fresh credentials or authentication tokens to sell or use. The operator takes their subscription fee. Nobody wrote a single line of malicious code during the actual campaign.

That's it. That's all it takes.



Why PhaaS attacks are getting harder to catch

Two things happen when cybercrime gets commercialized: volume goes up, and quality goes up.

PhaaS operators are in it for profit. That means they have a financial incentive to make their kits as effective as possible. They update templates to bypass email filters. They add CAPTCHA challenges to fake pages to look more legitimate. They use legitimate hosting infrastructure—trusted cloud platforms—to make their traffic harder to block by reputation alone.

And because the barrier to entry is so low, the number of phishing campaigns overall has skyrocketed. Phishing remains one of the most pervasive cyber threats with 191,561 complaints submitted to the Internet Crime Complaint Center(IC3) PhaaS pours gas on that fire.

The result: your inbox is seeing more phishing emails than ever before, and they look better than they ever have.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
Managed ITDR Demo

Learn more about Unwanted Access

Phishing kits are cheap. A breach isn't. See how Huntress detects and responds to phishing attacks for you.

Managed ITDR Demo

Learn more about Managed ITDR

Now you know how PhaaS works. Here's how Huntress helps make sure your users don't become the next victim.

Start for FreeGet a Demo
Glitch effectGlitch effect

Real-world example: EvilTokens and the Railway campaign

In February 2026, Huntress researchers spotted something unusual: a wave of anomalous authentication events hitting dozens of Microsoft 365 organizations at the same time.

What they uncovered was a PhaaS platform later attributed toEvilTokens—advertised on Telegram starting February 16, 2026, with pricing tiers for email delivery, token capture, and SMTP relay. Within days of going public, it was actively compromising organizations.

The attack method was device code phishing—a technique that exploits Microsoft's own OAuth device authorization flow. Instead of stealing a password, the attacker tricks the victim into entering a code at Microsoft's legitimate login page. The attacker's backend then retrieves the resulting access and refresh tokens, which stay valid for up to 90 days—even after a password reset.


Here's what made it especially hard to catch:

  • It bypassed MFA entirely. Users authenticated on a real Microsoft page, so MFA did exactly what it was supposed to—and it still didn't stop the attack.

  • The infrastructure looked clean. Railway.com is a legitimate Platform-as-a-Service provider with clean cloud IP ranges. Because Railway had no reputation penalty, Microsoft's risk scoring didn't flag it as suspicious.

  • Every phishing email was different. Construction bid lures, DocuSign impersonation, voicemail notifications, Microsoft Forms abuse—all hitting the same victim pool with no two messages alike. Signature-based email filters didn't stand a chance.

By mid-March 2026, the campaign had hit more than 340 organizations across the US, Canada, Australia, New Zealand, and Germany—spanning law firms, manufacturers, healthcare providers, financial services firms, and local governments.

Huntress blocked more than 460 compromise attempts across protected identities during the campaign, as new blocks continued to roll in—113 recent attempts on top of roughly 350 earlier compromises.

See this in action by watching the video below:



For organizations without that kind of identity-level detection, many didn't know they'd been hit until it was too late.




How to defend against phishing attacks

PhaaS-powered phishing is designed to get around your defenses one by one. That's why no single control is enough. You need layers—and they all need to work together.


Security awareness training

Your people are your first line of defense—and your biggest target. Train them to be skeptical of unsolicited emails, especially ones that create urgency. Teach them to verify sender addresses, pause before clicking links, and recognize that even legitimate-looking Microsoft pages can be part of a phishing chain.

Huntress Managed Security Awareness Training delivers expert-backed training, phishing simulations, and just-in-time Phishing Defense Coaching based on real-world threat intel to reduce human risk and build resilience.


Multi-factor authentication (MFA)

MFA is non-negotiable—but campaigns like EvilTokens are a reminder that MFA alone isn't a complete defense. Token-based attacks can bypass MFA entirely if you're not also monitoring authentication behavior and restricting which flows are allowed.

If you need a primer or asset to share with leadership, Huntress’ guide,What Is Multi-Factor Authentication?, explains why MFA is “necessary but not sufficient” and how attackers are already working around it.


Advanced email security

Deploy email filtering that goes beyond simple keyword matching. You need solutions that analyze email headers, scan for malicious links and attachments, and use behavioral analysis to catch phishing attempts that look clean on the surface—because modern PhaaS kits deliberately abuse trusted redirectors, URL rewriters, and reputable cloud services to evade basic checks.


Endpoint Detection and Response (EDR)

If a user does click something malicious, you need to know about it before the threat spreads.

Huntress Managed EDR continuously monitors endpoints for malicious behavior, persistent footholds, lateral movement, and early signs of ransomware, then brings in a 24/7 AI-assisted SOC to contain and actively remediate threats—often in minutes.


Identity Threat Detection and Response (ITDR)

This is the one most organizations don't have—and the one modern PhaaS attacks are specifically designed to exploit.

Huntress Managed ITDR monitors your Microsoft 365 and Google Workspace environments for session hijacking, token replay, rogue OAuth apps, unusual locations and VPNs, malicious inbox rules, and other identity anomalies that show up even when everything else looks clean.

If EvilTokens—or the next PhaaS platform—hit your organization, ITDR is how you'd catch it in your authentication telemetry, revoke tokens, and shut down attacker access before they can pivot to wire fraud or data theft.



FAQs About Phishing-as-a-Service

Absolutely. Creating, selling, or using PhaaS tools is a form of cybercrime and is illegal in most countries. It facilitates crimes like identity theft, fraud, and data breaches.


Prices vary widely. Some basic kits can be found for as little as $50, while more sophisticated monthly subscriptions with customer support can run into the hundreds or even thousands of dollars.

A regular phishing attack is executed from start to finish by a single person or group. PhaaS separates the roles: one group develops and sells the tools, and another group (the customer) buys and uses them to launch the attack.

Yes and no. Advanced email security can block many PhaaS-based attacks, but the operators are constantly evolving their techniques to evade detection. This cat-and-mouse game is why a layered defense, including user education, is crucial.

The customer base is broad. It includes low-skilled cybercriminals (often called "script kiddies"), organized crime groups looking to scale their operations, and even disgruntled insiders who want an easy way to attack their employer.

Glitch effectBlurry glitch effect
Glitch effect

Additional Resources

Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free