
Phishing-as-a-Service: How AI Turned Phishing Into a Subscription Business
For most of its history, running a convincing phishing campaign took a certain amount of effort: a plausible email, a fake login page, and somewhere to collect the stolen details. That barrier has now all but disappeared. A booming criminal market known as phishing-as-a-service (PhaaS) rents the entire operation out by the month, and artificial intelligence has quietly become its most productive employee.
The short version: PhaaS platforms sell ready-made phishing campaigns on subscription, complete with polished templates, fake login pages and the infrastructure to harvest passwords and session tokens. AI now writes the lures, translates them flawlessly and helps bypass multi-factor authentication. The skill barrier has collapsed, but the defences that work against ordinary phishing still work here, provided you apply them deliberately.
Why this matters right now
This is not a niche corner of the criminal economy. Microsoft has tracked a single PhaaS platform, Tycoon2FA, that at its peak accounted for roughly 62% of all the phishing it was blocking each month: tens of millions of messages reaching more than 500,000 organisations. In late June 2026, Microsoft’s Digital Crimes Unit helped dismantle key parts of that ecosystem, but the model it pioneered is now widely copied.
The pattern keeps repeating. In April 2026 the FBI’s Internet Crime Complaint Center warned about a newer kit, Kali365, built specifically to steal Microsoft 365 access tokens and slip past multi-factor authentication. And the reason these kits sell so well is unchanged: Verizon’s 2025 Data Breach Investigations Report found that around 60% of breaches still involve a human being tricked, misusing access, or making a mistake. PhaaS is simply an efficient way to manufacture that moment of misplaced trust at scale.
What “phishing-as-a-service” actually means
Think of it as the dark mirror of the software subscriptions your business already uses. For a monthly fee, reported on some criminal forums to start at only a couple of hundred pounds, a buyer gets a dashboard, a library of brand-accurate email and login templates, hosting for the fake pages, and even customer support. The operator does not need to understand how any of it works. They pick a target, choose a template, and press send.
That division of labour is the whole point. The technical skill sits with the kit’s developers; the person running the campaign needs none of it. The result is far more attacks, launched by far more people, than the old do-it-yourself model ever allowed.
How AI turned a cottage industry into a factory
Subscription kits lowered the barrier to entry. Generative AI knocked it flat, by automating the parts that used to give attackers away.
Flawless, localised lures
The clumsy grammar and odd phrasing that once betrayed a phishing email are gone. AI drafts fluent, on-brand messages in any language and tailors them to a specific company, role or recent event, such as an invoice, a policy update or a shared document, in seconds. The old advice to “look for spelling mistakes” no longer holds.
Fake pages that answer back
Kits now generate pixel-perfect sign-in pages automatically, and some bolt on AI chat that responds to a hesitant victim in real time, smoothing over doubts that would previously have ended the attack.
Real-time MFA bypass
The most capable kits act as an adversary-in-the-middle: they sit between the victim and the real service, relay the password and the one-time code the instant they are entered, and capture the session token the service issues in return. With that token, the attacker is logged in as the user, with no password prompt and no MFA challenge. Ordinary app-based and SMS codes do not stop this.
Beyond email: voice and deepfakes
The same economy now spans channels. AI voice cloning powers convincing phone-based scams, and real-time deepfake video has been used to impersonate executives on calls. In one widely reported case, a finance employee approved a multi-million transfer after a video meeting in which every other participant was synthetic.

The warning signs worth training staff to notice
Polished does not mean flawless. The tells have shifted from grammar to context and behaviour:
- An unexpected request to sign in. Being asked to authenticate after clicking a link, especially for a document or message you were not expecting, is the single most useful trigger for suspicion.
- The web address is not exactly right. Look-alike domains and extra words bolted onto a familiar brand remain the most reliable giveaway. Check the address bar before typing anything.
- Pressure to act quickly. Invoices, compliance deadlines, voicemails and “urgent” approvals are the recurring lures because urgency short-circuits judgement.
- A request that skips the usual process. A payment or credential change that bypasses normal channels deserves a second, out-of-band check, particularly if it arrives by phone or video.
What actually reduces the risk
No single control defeats PhaaS, but layered sensibly they turn a likely breach into a blocked attempt.
1. Move to phishing-resistant MFA
FIDO2 security keys and passkeys are the strongest defence available. They are bound to the genuine web address, so a login relayed through a fake page simply fails and there is no token to steal. Prioritise administrators and other high-value accounts first.
2. Limit what a stolen token can do
Conditional access policies that require a managed, compliant device break the attack even if a token is captured, because the attacker’s browser will not qualify. Where your identity provider supports it, enable token protection and shorten session lifetimes so a stolen session expires quickly.
3. Shrink the attack surface
Enforce email authentication (SPF, DKIM and DMARC), disable legacy protocols that ignore MFA, and be ready to revoke sessions fast during an incident. Each measure removes an option the kit relies on.
4. Watch for the tell-tale anomalies
A successful sign-in followed by activity from an unusual location or device, impossible travel, or sudden mailbox-rule changes is a classic footprint of a stolen session. Alerting on these helps you catch a compromise before it becomes fraud.
5. Keep your people sharp
Technology narrows the gap; an alert workforce closes it. Regular, realistic simulations, including voice and MFA-themed lures, keep the instinct fresh, and a one-click way to report suspicious messages turns staff into an early-warning system.
The bottom line
Phishing-as-a-service has industrialised an old crime, and AI has made its output faster, cleaner and harder to spot. But the fundamentals of defence have not changed as much as the headlines suggest. Phishing-resistant authentication, tight access controls and a well-trained workforce still break the chain, and the difference now is that applying them is no longer optional.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
