In 2025, the number of known phishing-as-a-service (PhaaS) kits doubled in number, increasing the pressure on security teams trying to defend against this ever-evolving threat, according to Barracuda’s phishing review of 2025.
Aggressive newcomers such as Whisper 2FA and GhostFrame introduced inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code, while established groups such as Mamba and Tycoon continued to evolve and thrive. Each kit was behind millions of attacks.
According to Barracuda’s analysis, the most prevalent tools and techniques used by phishing kits in 2025were:
- Multifactor authentication bypass, seen in 48% of attacks.
- URL obfuscation techniques,also seen in 48%.
- The abuse of CAPTCHA for evasion, which featured in 43% of all attacks.
- Polymorphic techniques and the use of malicious QR codes, each seen in 20% of attacks.
- Malicious attachments, used in 18% of all attacks.
- The abuse of trusted online platforms(seen in 10% of attacks) and the use of generative AI tools such as zero-code development sites (also 10%).
The Main themes used for phishing emails are remarkably like previous years, although they have evolved with time thanks to the use of generative AI and other tools.
In 2025, one in five (19%) phishing emails related to payment and invoices scams. Digital signature and document review emails accounted for 18% of attacks, with HR-related documents featuring in 15%. Many exploited trusted brand names, mimicking websites and logos with increasing accuracy.
“Phishing kits shifted up another level in 2025as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” said Ashok, Sakthivel, Director, Software Engineering at Barracuda. “The kits feature techniques designed to make it harder for users and security teams to detect and prevent fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA,continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy.”
 kits doubled in number, increasing the pressure on security teams trying...){kind=link}