Account Compromise Arms Race: The Rise of Phishing-as-a-Service

Threat actors are constantly advancing their techniques, and phishing-as-a-service (PhaaS) platforms exemplify this dangerous innovation. In this new blog series, Account Compromise Arms Race, we’ll explore the latest tactics and tools attackers are using to target organizations, steal credentials, and bypass even the most robust security measures.

Phishing-as-a-service represents a significant shift in how cyberattacks are conducted, offering a cloud-based subscription model that makes launching phishing campaigns accessible to even novice criminals. Here, we’ll dive into the mechanics of PhaaS, examine leading platforms, and review real-world attack examples.

Phishing-as-a-service (PhaaS) is cheap, cloud-managed, and comes with online support. It handles multi-factor authentication (MFA) bypass, allowing criminals to infiltrate Microsoft, Google, Apple, and GitHub accounts. Multiple PhaaS platforms are available, all competing for the criminal dollar and continuously innovating to outdo each other.

Similar to ransomware-as-a-service, bots-as-a-service, or corporate SaaS offerings, PhaaS platforms are cloud-hosted and sold via subscription. Most platforms offer online training, support, and subscription tiers, managing end-to-end phishing campaigns. This includes building session-hijacking proxy code, spamming victims, and tracking email engagement.

The malicious payload is often delivered via a link or encoded HTML attachment, bypassing URL rewriting. These payloads exploit compromised websites or domains with strong reputations, making them difficult for reputation-based security checks to detect.

PhaaS platforms frequently host session-hijacking proxies behind Cloudflare Turnstile, preventing researchers and bots from learning its true location. Upon clicking the link or opening the HTML attachment, the victim encounters a login panel that perfectly imitates the legitimate service. Here’s a real example of a fake Microsoft login page that’s hosted on a fairly convincing domain - “mrsft-protecteddocs.com.”

Looking through some great research from Bleeping Computer, Group-IB and Svch0st Medium, there’s plenty of choice in the PhaaS market. The most prominent platforms seem to be EvilProxy, Caffeine (re-released as ONNX in Feb 2024), Greatness and W3LL.

The constant competition between PhaaS vendors is driving a level of innovation and sophistication not seen in the phishing world a few years ago. Due to some very clever anonymisation, it’s hard to attribute phishing attacks to a specific PhaaS vendor, however here’s a rough guide to services offered by each and their monthly subscription price.

It’s worth highlighting that dynamic URL generation, a feature listed above, means each victim receives a unique phishing URL. This renders traditional threat-intelligence based email security ineffective as you can’t match the URL against the threat-intel database of known bad URLs.

EvilProxy is probably one of the better known PhaaS platforms and offers theft of Microsoft, Google, Facebook, Wordpress, Instagram and Github credentials, to name a few. It offers MFA pass-through and bot detection features for around $400 per month. Training videos and online support make it accessible to criminals of all skill levels.

EvilProxy specializes in bot detection and evasion, exploits open redirects, and enables attackers to easily build session-hijacking proxy code. They even provide this handy training video, that cover Microsoft credential theft.

EvilProxy divides the proxy access into streams, each associated with a DNS domain and prepended name.

BotGuard will “keep out unwanted visitors” (as EvilProxy puts it) and prevent URL crawling by virtual machines, browser automation, Tor nodes, and public proxies to name a few. This ensures that traditional email security, which relies on URL crawling and HTML attachment sandboxing won’t see a phishing link after automated analysis.

In addition to EvilProxy, services like Caffeine, rebranded as ONNX in 2024, closely mimic legitimate SaaS models by offering Basic, Professional, and Enterprise subscription tiers.

The W3LL criminal group, active for over six years, reportedly generated more than $500,000 in annual revenue by 2023, according to Group-IB. With a customer base of around 500 cybercriminals, W3LL exemplifies how underground marketplaces thrive. Ironically, while maintaining a covert marketplace, W3LL incentivizes referrals, offering a 10% bonus for bringing in new members.

Phishing-as-a-service platforms enable threat actors to craft convincing campaigns that mimic trusted brands and lure victims into sharing sensitive information. These attacks leverage sophisticated tactics, such as session hijacking and data exfiltration, to bypass traditional security measures.

Below are a few examples illustrating common phishing techniques used by these PhaaS platforms.

DocuSign-Themed Phishing Email

In this example, we see an email that’s crafted to look like a contract agreement that needs to be signed via Docusign.

When the recipient clicks the “View Document” link, it takes them to a fake Microsoft login panel with a built-in reCAPTCHA—not something Microsoft normally includes in their sign-in page.

The entire login is proxied via the compromised domain you see at the top of the browser. The threat actor simply steals the session cookie after login (despite the use of MFA), which gives them the same access to the M365 account as the victim.

Another common tactic involves phishing emails with HTML attachments, often disguised as documents such as fax messages, payment confirmations, or invoices. These attachments are carefully crafted to evade traditional email security filters and lure recipients into opening them.

Opening the attachment and entering some dummy login credentials triggers a script that posts the payload to a Telegram bot and includes not only my test username/password but also my current location, IP address and browser details (payload in Figure 11 below).

This data is likely harvested by the threat actor, via the PhaaS platform, to track who is clicking and from where.

The rise of phishing-as-a-service (PhaaS) is a stark reminder of how cybercriminals are leveraging innovation to stay ahead of traditional defenses. By commoditizing phishing campaigns, PhaaS platforms lower the barrier to entry for attackers, resulting in a surge of sophisticated threats.

As this series continues, we’ll explore more about how these platforms operate, the techniques they use, and what organizations can do to protect themselves. Stay tuned for the next post in the Account Compromise Arms Race series where we will delve deeper into “phish-resistant” authentication methods and explore just how phish-resistant they actually are.

Interested in learning about how Abnormal can protect your organization from advanced phishing attacks? Schedule a demo today!