In one cybersecurity firm’s Jan/Feb 2025 incidence metrics, attacks originating from Phishing-as-a-Service threat groups had surged in its global user base
In the first few months of 2025, a cybersecurity firm had registered a massive spike in Phishing-as-a-service (PhaaS) attacks targeting its protection ecosystem around the world.
Amid the more-than-a-million attacks detected, three PhaaS groups were the most prominent: Tycoon 2FA (89%), EvilProxy (8%), and Sneaky 2FA (3%).
According to Saravanan Mohankumar, Threat Analyst, Barracuda, the firm reporting the PhaaS trend in its user base: “The platforms that power PhaaS are increasingly complex and evasive, making phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do. An advanced, multi-layered defence strategy with AI/ML enabled detection, combined with a strong security culture and consistent security access and authentication policies, can help to protect organizations and employees against (such) attacks.”
Here are the profiles of the three threat groups:
- Tycoon 2FA: rapid innovation in evasion tools
Since its early visibility in January 2025, the threat group has continued to develop and enhance its evasive tactics, becoming even harder to detect:
- The code script for credential theft and exfiltration is now encrypted and obfuscated using a substitution cypher, and sometimes an invisible character (known as a Hangul Filler).
- The new and enhanced script can identify a victim’s browser type to help with attack customization and features links to the Telegram service that can be used to secretly send stolen data to attackers.
- The script also enables parts of a web page to be updated independently of the rest of the page, and can include AES encryption to disguise credentials before exfiltrating them to a remote server. All this makes detection by security tools far more difficult.
- EvilProxy: a dangerously accessible tool
This group’s attacks can be implemented with minimal technical expertise. It targets widely used services such as Microsoft 365, Google, and other cloud-based platforms, tricking victims into entering their credentials into seemingly legitimate login pages. The source code used by EvilProxy for its phishing webpage closely matches that of the original Microsoft login page. This makes it difficult to distinguish the malicious site from the original (legitimate) website.
- Sneaky 2FA: It fills-in the phishing form for victims
This is a platform for Adversary-in-the-Middle attacks targeting Microsoft 365 accounts in search of credentials and access. Like Tycoon 2FA, it leverages the messaging platform Telegram. Sneaky 2FA checks to make sure the user is a legitimate target and not a security tool, bot or other adversary: if this is the case, the “victim” is redirected to a harmless site elsewhere, before pre-filling the fake phishing page with the victim’s email address by abusing Microsoft 365’s autograb functionality.
- A login page includes a “.ru” top-level domain (the last part of a URL), and the victim’s email ID is embedded in the phishing URL either in the form of plain text or Base64-encoded. This could indicate a Tycoon 2FA attack.
- EvilProxy attacks are harder to detect because they use a random URL. However, check the Microsoft/Google login page URL to make sure it is legitimate and not spoofed. Another giveaway is unusual multi-factor authentication prompts that appear even when no login is actually being attempted.
- Check if the webpage URL contains a 150 alphanumeric string followed by either /verify, /index, or /validate at the end of the URL. This is a clue to the presence of Sneaky 2FA.
According to Barracuda experts, people can spot PhaaS attacks from the above groups in the following instances, and avoid entering credentials into the phishing page:
- Sneaky 2FA: It fills-in the phishing form for victims