The Phishing-as-a-Service Economy: How $50 Buys a Cyberattack in 2026

Cybercrime Has a Customer Success Team

In 2015, launching a phishing campaign required technical skill. You needed to register a convincing domain, build a credential-harvesting web page, configure an email server, craft a convincing lure, and figure out how to receive and use the stolen credentials — all while evading spam filters and takedown notices. The barrier to entry was significant.

In 2026, you open Telegram, search for a phishing-as-a-service (PhaaS) provider, pay $50-$200 in cryptocurrency, and receive a fully operational phishing platform: pre-built landing pages mimicking Microsoft 365, Google Workspace, or banking portals; an adversary-in-the-middle (AiTM) reverse proxy that intercepts MFA tokens in real time; automated email delivery with templates designed to bypass spam filters; a dashboard showing captured credentials, session tokens, and victim activity; and — in some cases — customer support via chat.

The industrialization of phishing is the defining trend in cybercrime in 2026. Phishing remains one of the top three initial access vectors for data breaches — the Verizon DBIR 2025 found phishing present in 16% of breaches, with social engineering broadly implicated in roughly one quarter of all incidents and the human element involved in 60% of confirmed breaches. The reason phishing remains so persistent is simple: PhaaS has reduced the cost and skill required to launch sophisticated phishing attacks to near zero.

How PhaaS Platforms Work

A modern PhaaS platform is architecturally similar to a legitimate SaaS application. The components include:

The Reverse Proxy (AiTM Engine)

The most dangerous innovation in modern phishing is the adversary-in-the-middle (AiTM) reverse proxy. Traditional phishing captured usernames and passwords — but MFA made stolen passwords alone insufficient. AiTM phishing solves this by acting as a transparent proxy between the victim and the real login page.

Here is the flow:

1. The victim clicks a phishing link and lands on a page that looks identical to (for example) the Microsoft 365 login page.
2. The victim enters their username and password. The PhaaS platform forwards these credentials to the real Microsoft 365 login page in real time.
3. Microsoft 365 prompts for MFA. The prompt is relayed back to the victim, who approves it (push notification, SMS code, or authenticator app).
4. Microsoft 365 issues a session token. The PhaaS platform captures this token and delivers it to the attacker.
5. The attacker uses the captured session token to log in as the victim — without needing the password or MFA again.

This technique defeats SMS-based MFA, app-based TOTP codes, and even push notification MFA. The only MFA method that reliably resists AiTM phishing is hardware security keys (FIDO2/WebAuthn), because the authentication is bound to the legitimate domain — a phishing proxy on a different domain cannot intercept the cryptographic handshake.

Pre-Built Templates

PhaaS platforms provide professionally designed phishing pages for hundreds of targets: Microsoft 365, Google Workspace, Okta, Salesforce, banking portals, social media platforms, cryptocurrency exchanges, and government services. Templates are continuously updated to match the latest design changes on the real sites.

Some platforms offer “brand kits” — complete phishing campaigns for specific targets including email templates, landing pages, and post-compromise scripts (automatically forwarding the victim’s email, creating inbox rules to hide security alerts, exfiltrating address books for further targeting).

Email Delivery Infrastructure

Sophisticated PhaaS platforms include their own email delivery infrastructure — or integrate with compromised legitimate email accounts and domains. Using compromised legitimate accounts for phishing dramatically increases deliverability because the sending domain has established reputation and passes SPF/DKIM/DMARC authentication.

Some platforms specialize in “business email compromise” (BEC) delivery, using compromised executive accounts to send phishing emails to employees within the same organization — the most trusted and least filtered communication channel.

The Dashboard

Attackers interact with their PhaaS platform through a web dashboard that provides real-time analytics: how many emails were sent, how many were opened, how many victims clicked the link, how many entered credentials, which credentials include valid session tokens, and which accounts have been successfully accessed. The experience is indistinguishable from a legitimate marketing automation platform.

The Major PhaaS Platforms of 2025-2026

EvilProxy — The most prominent AiTM PhaaS platform, offering reverse-proxy phishing against Microsoft 365, Google, Apple, Facebook, GitHub, and others. Subscription pricing is tiered: approximately $150 for 10 days, $250 for 20 days, or $400 for a full month, with Google account attacks costing more ($250/$450/$600). EvilProxy remains actively operational — Okta Threat Intelligence identified a high-volume campaign leveraging EvilProxy since at least March 2025, targeting finance, government, healthcare, and technology organizations.

Greatness — A Microsoft 365-focused PhaaS platform that provides AiTM proxy capabilities, pre-filled victim email addresses on the phishing page (increasing credibility), and MFA token capture. Subscription pricing around $120/month.

NakedPages — A PhaaS platform offering phishing kits with anti-bot protections (CAPTCHAs, browser fingerprinting) designed to prevent security researchers from analyzing the phishing infrastructure. NakedPages has maintained approximately 220 active servers as of early 2025 and consistently ranks among the top five most active AiTM kits.

Caffeine — Distinguished by its open registration model (no invitation or vetting required). Unlike many PhaaS competitors, Caffeine charges a premium: $250/month for a basic subscription, roughly 3-5 times the cost of more basic PhaaS platforms that start at $50-$80/month. Caffeine targeted Russian and Chinese platforms in addition to Western services, suggesting a broader geographic scope than most AiTM kits.

W3LL Panel — Discovered by Group-IB in 2023, W3LL operated a private marketplace with at least 500 threat actor customers, selling phishing tools that were used to target over 56,000 corporate Microsoft 365 accounts between October 2022 and July 2023, successfully compromising at least 8,000 of them. W3LL’s tools included AiTM capabilities and automated business email compromise workflows, generating an estimated $500,000 in illicit profits for its operators.

The Supply Chain: Dark Web Marketplaces

PhaaS platforms are part of a broader cybercrime supply chain that operates through dark web marketplaces, Telegram channels, and closed forums:

Initial access brokers (IABs) sell access to compromised organizations — a working VPN credential, a remote desktop session, a web shell on a corporate server. PhaaS operators sell stolen credentials to IABs, who sell access to ransomware groups, who encrypt the victim’s systems and demand payment. Each actor specializes in one step of the kill chain.

Credential marketplaces (Russian Market, Genesis Market successor sites) sell stolen credentials in bulk — username/password combinations harvested by information-stealing malware (Redline, Raccoon, Vidar). These credentials are often used to seed PhaaS campaigns (sending phishing emails from compromised accounts) or to directly access accounts without phishing.

Bulletproof hosting providers offer infrastructure (domains, servers, IP addresses) that ignores takedown requests and abuse complaints, providing the persistent infrastructure that PhaaS platforms need to operate.

The economics are compelling. A PhaaS subscription costs $50-$400/month. A successful business email compromise (redirecting a single wire transfer) yields $50,000-$500,000. The return on investment is extraordinary, and the risk of prosecution is low — most PhaaS operators are in jurisdictions (Russia, North Korea, parts of Southeast Asia) where law enforcement cooperation with Western countries is minimal.

Defensive Evolution: Beyond Traditional Anti-Phishing

Traditional anti-phishing defenses — spam filters, URL reputation databases, user training — remain necessary but are increasingly insufficient against PhaaS-powered attacks.

FIDO2/WebAuthn (Passkeys): The strongest defense against AiTM phishing. Hardware security keys (YubiKey) or platform authenticators (Face ID, Windows Hello) perform domain-bound authentication that cannot be intercepted by a reverse proxy. Google reported zero successful phishing attacks against its 85,000+ employees after mandating hardware security keys in early 2017 — a result that held for over a year, as reported by Krebs on Security in mid-2018. Microsoft, Apple, and Google are now pushing passkeys as the default authentication method.

Conditional Access policies: Even if credentials and session tokens are stolen, conditional access policies can limit damage by restricting access based on device compliance, geographic location, risk score, and other signals. A session token captured by a PhaaS proxy will originate from the attacker’s device and IP address — conditional access policies can detect and block this.

Token theft detection: Microsoft Entra ID and other identity providers are adding detection for token theft — identifying when a session token is used from a device or location different from where it was originally issued.

AI-powered email filtering: Next-generation email security platforms (Abnormal Security, Proofpoint, Mimecast) use AI to analyze email content, sender behavior, and communication patterns to detect phishing — including BEC attacks that contain no malicious links or attachments.

Phishing-resistant MFA mandates: CISA’s guidance now explicitly recommends “phishing-resistant MFA” (FIDO2/WebAuthn) rather than generic MFA. The distinction matters because push notification MFA and TOTP codes are vulnerable to AiTM attacks.

The AI Amplifier

Generative AI is supercharging phishing in several ways:

Perfect language: Phishing emails with grammatical errors and awkward phrasing were easy to spot. AI-generated phishing emails are grammatically perfect, contextually appropriate, and stylistically matched to the organization being impersonated.

Personalization at scale: AI can analyze a target’s LinkedIn profile, recent posts, and public information to craft highly personalized spear-phishing emails — “Hi Sarah, congratulations on the Q3 earnings call last week. I wanted to follow up on the vendor discussion we had at the board meeting…” This level of personalization previously required manual research for each target.

Voice cloning and deepfakes: AI voice cloning enables “vishing” (voice phishing) at scale. Attackers clone a CEO’s voice from public recordings and call the CFO requesting an urgent wire transfer. In early 2024, a finance worker at the British engineering firm Arup, based in Hong Kong, transferred approximately $25.6 million (HK$200 million) across 15 transactions after a video call with what appeared to be the company’s CFO and several colleagues — all were AI deepfake recreations generated from publicly available recordings.

Automated campaign optimization: AI can A/B test phishing lure effectiveness, optimize send times, and adapt campaigns in real time based on engagement metrics — applying the same data-driven optimization that legitimate marketers use.

Frequently Asked Questions

Sources & Further Reading

• Verizon — 2025 Data Breach Investigations Report
• Microsoft — AiTM Phishing Attack Analysis
• Group-IB — W3LL Phishing Empire
• CISA — Phishing-Resistant MFA Guidance
• Krebs on Security — Google: Security Keys Neutralized Employee Phishing
• Okta — EvilProxy Phishing Campaign Analysis
• CNN — Arup Deepfake Scam Hong Kong
• Proofpoint — State of the Phish 2025
• Abnormal Security — Email Threat Report
• FIDO Alliance — Passkeys