Phishing-as-a-Service
FBI takedown of W3LL phishing service leads to developer arrest
The FBI Atlanta Field Office and Indonesian authorities have dismantled the “W3LL” global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer. The W3ll Store was a phishing kit and online marketplace that enabled […]
Device code phishing attacks surge 37x as new kits spread online
Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. Next, the […]
New EvilTokens service fuels Microsoft device code phishing attacks
A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks. The kit is sold to cybercriminals over Telegram and is under continuous development, its author stating that they plan to extend support for Gmail and Okta phishing pages. Device […]
Tycoon2FA phishing platform returns after recent police disruption
The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels. Microsoft led the technical disruption, which involved seizing 330 domains part of Tycoon2FA’s backbone infrastructure that included control panels and phishing pages used in attacks. However, the disruption caused by the law enforcement was short-lived, as […]
Europol-coordinated action disrupts Tycoon2FA phishing platform
An international law enforcement operation coordinated by Europol has disrupted Tycoon2FA, a major phishing-as-a-service (PhaaS) platform linked to tens of millions of phishing messages each month. In total, 330 domains part of the criminal service’s backbone infrastructure (including control panels and phishing pages) were seized and taken offline during this joint action. “The technical disruption was […]
Nigeria arrests dev of Microsoft 365 ‘Raccoon0365’ phishing platform
The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The […]
Sneaky2FA PhaaS kit now uses redteamers’ Browser-in-the-Browser attack
The Sneaky2FA phishing-as-a-service (PhaaS) kit has added browser-in-the-browser (BitB) capabilities that are used in attacks to steal Microsoft credentials and active sessions. Sneaky2FA is a widely used PhaaS platform right now, alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit was known for its SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is […]
Google sues to dismantle Chinese phishing platform behind US toll scams
Google has filed a lawsuit to dismantle “Lighthouse”, a phishing-as-a-service (PhaaS) platform used by cybercriminals worldwide to steal credit card information through SMS phishing (“smishing”) attacks that impersonate the U.S. Postal Service (USPS) and E-ZPass toll systems. The lawsuit aims to shut down the website infrastructure supporting the Lighthouse phishing-as-a-service (PhaaS), which Google says has […]
Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide
A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users’ credentials. The kit comes pre-configured with phishing domains to allow less skilled threat actors to achieve maximum results with the least effort. Since August, analysts at security awareness company KnowBe4 have noticed Quantum Route Redirect (QRR) attacks in the wild across […]
Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials. In early September 2025, in coordination with Cloudflare’s Cloudforce One and Trust and Safety teams, Microsoft’s Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365. The […]