Security firm Barracuda has reported over a million phishing-as-a-service (PhaaS) attacks in 2025.
These attacks were powered by known platforms such as Tycoon 2FA and EvilProxy, with the emergence of a new threat, Sneaky 2FA, highlighting the rapid evolution of phishing tools.
Tycoon 2FA was the most prominent and sophisticated PhaaS platform active in early 2025 and accounted for 89% of the PhaaS attacks. EvilProxy has a share of 8% and Sneaky 2FA had a share of 3% of attacks.
The platforms that power PhaaS are increasingly complex and evasive, Barracuda noted. This makes phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do.
Deerendra Prasad, Associate Threat Analyst at Barracuda Networks, shared findings from PhaaS activity in the first two months of 2025 in a recent blog post.
New Phishing Player Sneaky 2FA
Sneaky 2FA is known as such because it can bypass two factor authentication. The attack toolkit is sold as-a-service by the cybercrime outfit, Sneaky Log.
Sneaky 2FA leverages the messaging service Telegram and operates as a bot.
It has been used in platform for adversary-in-the-the-middle (AiTM) attacks targeting Microsoft 365 accounts in search of credentials and access.
Targets receive an email that contains a link. If they click on the link, it redirects them to a spoofed, malicious Microsoft login page. The attackers check to make sure the user is a legitimate target and not a security tool before pre-filling the fake phishing page with the victim’s email address by abusing Microsoft 365’s ‘autograb’ functionality.
No tags.
