In the first two months of 2025, Barracuda detection systems blocked over a million phishing attacks by prominent Phishing-as-a-Service (PhaaS) platforms. A new report on the tools and techniques used in the attacks highlights how PhaaS platforms are evolving rapidly to become more dangerous and evasive. Many target users of popular cloud-based platforms such as Microsoft 365.
Most (89%) of the detected incidents involved the sophisticated Tycoon 2FA, followed by EvilProxy, which accounted for 8% of attacks, and the newcomer, Sneaky 2FA, which was behind 3% of the incidents.
The three platforms have different and distinct toolsets, with some common elements such as the use of the Telegram messaging service to further attacks.
Tycoon 2FA – rapid innovation in evasion tools
Barracuda threat analysts reported on Tycoon 2FA in January 2025. Since then, the platform has continued to develop and enhance its evasive tactics, becoming even harder to detect.
Among other upgrades, the code script for credential theft and exfiltration is now encrypted and obfuscated using a substitution cypher and sometimes an invisible character (known as a Hangul Filler).
The new and enhanced script can identify a victim’s browser type to help with attack customization and features links to the Telegram service that can be used to secretly send stolen data to attackers.The script also enables parts of a web page to be updated independently of the rest of the page and includes AES encryption to disguise credentials before exfiltrating them to a remote server. All this makes detection by security tools far more difficult.
EvilProxy – a dangerously accessible tool
EvilProxy attacks can be implemented with minimal technical expertise. It targets widely used services such as Microsoft 365, Google, and other cloud-based platforms, tricking victims into entering their credentials into seemingly legitimate login pages.
The source code used by EvilProxy for its phishing webpage closely matches that of the original Microsoft login page. This makes it difficult to distinguish the malicious site from the original, legitimate website.
Sneaky 2FA fills in the phish form for victims
The third most prominent PhaaS in early 2025 was Sneaky 2FA, the platform for adversary-in-the-the-middle (AiTM) attacks targeting Microsoft 365 accounts in search of credentials and access. Like Tycoon 2FA, it leverages the messaging platform Telegram.
Sneaky 2FA checks to make sure the user is a legitimate target and not a security tool, bot or other adversary – if this is the case, the “victim” is redirected to a harmless site elsewhere – before pre-filling the fake phishing page with the victim’s email address by abusing Microsoft 365’s ‘autograb’ functionality.
“The platforms that power phishing-as-a-service are increasingly complex and evasive, making phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do,” said Saravanan Mohankumar at Barracuda. “An advanced, multilayered defense strategy with AI/ML enabled detection, combined with a strong security culture and consistent security access and authentication policies, will help to protect organizations and employees against PhaaS based attacks.”
