Phishing as a service turns sophisticated attacks into a subscription product. For the brands being impersonated in these campaigns, the threat is not just the phishing. It is the fact that your name is being sold as a template.
Phishing as a service, or PhaaS, is a subscription-based model where developers build and sell ready-to-use phishing infrastructure to other criminals. The buyers do not need to register domains, build credential-harvesting pages, or configure mail delivery. They subscribe, choose a target, select a brand template, and launch. The model mirrors legitimate software-as-a-service in structure: tiered pricing, customer support, dashboards for managing campaigns, and regular updates to evade detection.
The scale of what these platforms produce has become visible through law enforcement actions and industry research. The FBI’s investigation of the LabHost platform found approximately 10,000 users operating 42,000 phishing domains between 2021 and 2024. Microsoft reported that a single platform, Tycoon 2FA, was responsible for tens of millions of fraudulent emails reaching over 500,000 organizations per month, accounting for roughly 62% of all phishing attempts Microsoft blocked by mid-2025. When a coordinated takedown seized over 300 Tycoon 2FA domains in March 2026, the platform had accumulated approximately 2,000 criminal subscribers and more than 24,000 registered domains since August 2023.
These are not isolated tools. They are businesses, and they are growing. Trellix research documented the proliferation of PhaaS platforms across the threat landscape, identifying more than a dozen active offerings with distinct specializations, pricing models, and customer bases. The question for security teams is no longer whether PhaaS exists. It is what to do about the fact that attacking your organization, or impersonating your brand, is now available as a managed service.
How phishing as a service works
A PhaaS platform packages the components of a phishing operation into a product that subscribers deploy without building anything themselves.
The core of most platforms is a template library. Developers create replicas of legitimate login pages for widely used services, most commonly Microsoft 365, but also Google Workspace, banking portals, HR and benefits platforms, and SaaS applications. The templates are designed to be visually indistinguishable from the real pages they imitate. Subscribers select a template, configure it for their target, and the platform handles hosting, domain rotation, and delivery.
More advanced platforms include adversary-in-the-middle capabilities that capture not just passwords but the session tokens minted after multi-factor authentication completes. This means the phishing page does not simply collect credentials. It relays them to the legitimate service in real time, captures the authenticated session, and hands it to the attacker. Push notifications, SMS codes, and authenticator app tokens all pass through. The Allure Security research team documented this pattern in a recent campaign where benefits-themed lure pages captured Microsoft 365 session tokens through an AiTM relay, giving attackers access to email, files, Teams, and every SSO-linked application behind the stolen identity.
The operational infrastructure is equally commoditized. Platforms automate domain registration, rotate hosting to evade blocklists, provide email delivery at scale, and offer real-time dashboards where subscribers monitor active campaigns and review captured credentials. Some platforms distribute through carrier-native messaging channels: Netcraft reported that the Lucid and Lighthouse platforms were linked to more than 17,500 phishing domains targeting 316 brands across 74 countries, with Lighthouse offering subscription pricing from $88 per week to $1,588 per year.
The result is that launching a phishing campaign no longer requires technical skill. It requires a subscription and a target. The Darcula smishing platform charges roughly $250 per month. Some platforms offer entry tiers for less than the cost of a legitimate business SaaS subscription. The economics have inverted: building phishing infrastructure from scratch is now the expensive, inefficient option.
Why your brand is the product being sold
Most coverage of PhaaS focuses on the threat to organizations whose employees might click a phishing link. That threat is real, but it obscures a second dimension that receives far less attention: the brands being impersonated in the template libraries are themselves victims of these platforms.
A PhaaS developer does not build a generic phishing page. They build a replica of a specific brand’s login experience, package it as a selectable option in a dashboard, and sell access to it. Sekoia’s analysis of the PhaaS ecosystem found that platforms routinely include financially themed pages impersonating banks, benefits providers, and enterprise SaaS applications. The Tycoon 2FA kit included templates impersonating DocuSign, Microsoft, Adobe, and others, with HR, financial, and security-themed lures designed to convince targets into sharing credentials.
For the brand being impersonated, this creates a problem that traditional brand protection was not built for. The impersonation is not a single fraudulent site that can be identified and taken down. It is a template that generates new instances every time a subscriber launches a campaign. Each instance appears on a different domain, behind different infrastructure, often protected by cloaking that makes the page invisible to security scanners while fully functional for victims. Taking down one instance does not affect the template. The next subscriber spins up a new one.
The Darcula platform illustrates the scale. Specializing in smishing, Darcula maintained more than 20,000 counterfeit domains and over 200 brand templates, impersonating global brands through iMessage and RCS to bypass traditional SMS filtering. When one campaign was disrupted, the same templates generated new domains within days.
What PhaaS means for detection and response
The PhaaS model changes the math on phishing response in ways that matter for how organizations think about defense.
Takedown speed becomes more important and less sufficient simultaneously. It is more important because every PhaaS-generated instance follows the same victim-arrival pattern: 75% of victims who will ever visit a fraudulent page arrive within ten hours. It is less sufficient because removing one instance does not remove the template, and the operator can redeploy on new infrastructure faster than most takedown processes can complete.
The downstream consequences compound quickly. A credential harvested through a PhaaS page becomes an account takeover. An account takeover becomes a platform for business email compromise, fraudulent wire transfers, or lateral phishing that reaches deeper into the organization. In some cases, stolen credentials are sold to initial access brokers who resell them to ransomware operators. PhaaS is not just a phishing problem. It is the supply chain for nearly every other form of intrusion, and the brands being impersonated in the lure pages are the front door.
Detection needs to shift from individual sites to campaign patterns. A single phishing page is a data point. A cluster of pages sharing the same kit fingerprint, URL path structure, or token grammar is a campaign. The clustering approach we use in our own research, grouping detections by shared signals across tenants and industry peers, is designed for this kind of threat: identifying the campaign behind the page so that a takedown can target the full set rather than one instance at a time.
And the brands being impersonated need to treat PhaaS as an ongoing exposure, not an incident. If your login page exists as a template in a criminal marketplace, the threat does not end when one campaign is disrupted. It continues for as long as the template is in circulation. Monitoring for new instances, tracking the kit fingerprints that identify your brand’s template, and responding to each generation is the operational reality PhaaS creates.
The Bottom Line
Phishing as a service has turned brand impersonation into a subscription product. The platforms that power it are not tools for individual attackers. They are businesses with customers, pricing tiers, template libraries, and support channels. For the brands whose login pages appear in those libraries, the threat is not a single phishing site. It is an indefinitely renewable template that generates new instances with every subscriber, on new domains, behind new infrastructure, faster than most organizations can respond. The defensive response has to match the model: not incident-by-incident takedowns, but campaign-level detection that identifies the template, clusters the instances, and responds to the pattern rather than the page.
Key Takeaways
PhaaS is a subscription-based model where developers build and sell ready-to-use phishing infrastructure to other criminals. Subscribers select brand templates, configure targets, and launch campaigns without building anything themselves. The model includes tiered pricing, dashboards, customer support, and regular updates.
The FBI found 10,000 users and 42,000 domains on a single platform (LabHost). Microsoft reported that Tycoon 2FA alone was responsible for 62% of all phishing attempts it blocked, reaching 500,000+ organizations per month. Researchers estimate 30% of credential attacks involved PhaaS in 2024, with 50% expected by 2025.
Advanced platforms include adversary-in-the-middle capabilities that relay credentials and MFA challenges to the legitimate service in real time, capturing the session token after authentication completes. Push notifications, SMS codes, and authenticator apps all pass through the relay.
Because your brand’s login page may exist as a selectable template in a criminal marketplace. Each time a subscriber launches a campaign using that template, a new impersonation instance appears on new infrastructure. Taking down one instance does not affect the template that generates the next.
Deploy phishing-resistant MFA (FIDO2/WebAuthn, passkeys) to defeat AiTM relays. For brands being impersonated, shift from individual-site takedowns to campaign-level detection that identifies shared kit fingerprints and clusters instances for coordinated response. Monitor for new instances continuously, because the template does not expire when one campaign is disrupted.



