The number of known phishing-as-a-service (PhaaS) kits doubled in 2025, adding pressure on security teams defending against cyberattacks, according to Barracuda’s Phishing Review of 2025.
The analysis covered attacks in Asia-Pacific (APAC) and worldwide, highlighting new kits such as Whisper 2FA and GhostFrame, which introduced techniques to hide malicious code, while established groups like Mamba and Tycoon continued to adapt. Each kit was linked to millions of attacks globally.
Barracuda identified common themes in phishing attacks last year, including fake payment requests, financial notices, legal messages, digital signatures, and HR-related emails. These messages often spoofed trusted brands such as Microsoft, DocuSign, and SharePoint. Attackers relied on links, QR codes, or attachments to collect personal information.
“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” said Ashok Sakthivel, director of Software Engineering at Barracuda.
He added that the kits make it harder for users and security teams to detect and prevent fraud.
The report also highlighted the most prevalent tools and techniques used in phishing attacks in 2025:
- Multifactor authentication (MFA) bypass in 48% of attacks
- URL obfuscation in 48%
- CAPTCHA abuse in 43%
- Polymorphic code and malicious QR codes in around 20%
- Malicious attachments in 18%
- Abuse of trusted platforms and generative AI tools, each in 10%
Payment and invoice scams accounted for 19% of phishing emails, followed by digital signature and document review emails at 18%, and HR-related messages at 13%. Many emails mimicked brand websites and logos with alarming accuracy.
“Phishing remains a serious issue in APAC, and our findings highlight how quickly attackers are refining their methods,” Mark Lukie, director of Solution Architects, said. “With MFA bypass and evasion techniques now commonplace, organisations need to reassess whether their existing controls are keeping pace.”
Sakthivel added that organizations should adopt layered strategies, including phishing-resistant MFA, user training, continuous monitoring, and integrated email security.