Phishing kits aren't new. They've existed for years as prepackaged toolsets that allow attackers to spin up fake login pages and harvest credentials without building anything from scratch.

But what's changed—and what most businesses still underestimate—is how polished and operationalized these kits have become. We're no longer looking at rough tools cobbled together by individual hackers. We're looking at products. Full platforms with clean interfaces, repeatable workflows, built-in evasion, and subscription pricing.

That distinction matters more than it might seem.

From Hacker Tools to Subscription Products

The phishing landscape has shifted from one-off attack scripts to what the security industry now calls Phishing-as-a-Service (PhaaS)—platforms that package everything an attacker needs into a managed, often subscription-based product.

A recent example illustrates the trend. In March 2026, researchers at Abnormal Security documented a platform called Venom—a previously undocumented PhaaS platform used in a credential theft campaign targeting C-suite executives across more than 20 industry verticals. Venom isn't a loose collection of scripts. It features a licensing and activation model, structured token storage, and a full campaign management interface. It's built to be operated, not just used.

Another platform, dubbed Morphing Meerkat by researchers at Infoblox, has been active since at least 2020 and now spoofs over 114 brand login pages. It dynamically queries a victim's DNS mail exchange records to determine their email provider, then serves a fake login page that matches it—complete with dynamic language translation based on the victim's profile.

These aren't proof-of-concept tools. They're engineered products designed for scale.

Why This Changes the Threat Model

When phishing required technical skill—building infrastructure, crafting convincing pages, evading filters—it limited who could run effective campaigns and how many they could run. PhaaS platforms remove those constraints.

The implications are straightforward:

  • More attempts: Platforms with mass spam delivery and built-in email security bypass mean more phishing emails reaching more inboxes. The Anti-Phishing Working Group recorded over 3.8 million unique phishing sites in 2025, continuing a steady upward trend.
  • Less skill required: PhaaS kits have grown roughly 21% year-over-year, giving low-skilled actors the tools to launch campaigns that previously required significant technical expertise. Someone with minimal experience can now run a sophisticated credential harvesting operation.
  • Faster iteration: Built-in evasion techniques, open redirect exploitation, and compromised infrastructure mean these platforms adapt quickly when defenses catch up. Morphing Meerkat, for instance, leverages open redirect vulnerabilities on advertising platforms—including Google-owned DoubleClick—to bypass security filters.

None of those points are surprising on their own. Together, they change the math. The barrier is no longer "can someone pull this off?" It's volume, targeting, and information gathering—all of which these platforms handle.

We covered how AI is compounding this problem in our piece on why employees can't spot AI-powered phishing anymore.

MFA Alone Is No Longer Enough

Perhaps the most significant development in modern PhaaS platforms is their ability to bypass multi-factor authentication.

The Venom platform, for instance, offers two credential harvesting methods. The first is an adversary-in-the-middle (AiTM) setup that perfectly mimics the victim's real login portal—complete with company branding, pre-filled email addresses, and the organization's actual identity provider—while silently relaying credentials and MFA codes to Microsoft's live systems in real time. Once in, the attacker quietly registers a secondary MFA device on the victim's account, leaving the original authenticator intact to avoid detection.

The second method avoids login forms entirely. It tricks the victim into approving a device sign-in through Microsoft's legitimate device code flow, handing access tokens directly to the attacker. The stolen refresh token remains valid even after password resets, unless an administrator manually revokes all active sessions—a step most organizations don't take by default.

This is not theoretical. These are documented, operational capabilities being sold as a service.

We took a deeper look at this problem in our article on MFA bypass and phishing-resistant authentication, including why hardware keys and passkeys are becoming essential.

Who's Being Targeted

The Venom campaign is notable for its precision. According to Abnormal Security's research, 60% of titled recipients held C-level, President, or Chairman positions. Lures were crafted as SharePoint document-sharing notifications themed around financial reports, designed to prompt executives to scan a QR code embedded in the email body.

But the broader trend extends well beyond the C-suite. PhaaS platforms make targeted attacks economically viable against organizations of any size. When the cost of running a sophisticated phishing campaign drops to a subscription fee—some platforms charge as little as $250 per month—small businesses become just as attractive as enterprise targets.

We explored why smaller organizations are increasingly in the crosshairs in our article on recognizing social engineering attacks. And as we discussed in our piece on spear phishing, the personalization that once made these attacks rare and expensive is now automated.

The Real Question Isn't "Can We Spot It?"

When phishing becomes a system—with polished platforms, built-in MFA bypass, and automated targeting—the conversation needs to shift. It's less about whether your team can identify a perfect phishing email and more about what happens when credentials inevitably get exposed.

That means asking harder questions:

  • How quickly would you detect a compromised account? If an attacker gains access through a phishing platform and registers their own MFA device, do you have monitoring in place to flag that activity?
  • Are you relying on MFA as your last line of defense? As we covered in our article on common MFA implementation mistakes, MFA is essential but not sufficient on its own—especially against AiTM attacks.
  • Do you have out-of-band verification for sensitive requests? Financial transactions, credential changes, and data access requests need verification through a separate channel—not just a reply to the email that initiated them.
  • Is your email security built for this generation of threats? Traditional filters that scan for known malicious patterns struggle against platforms designed specifically to evade them. We covered this in our piece on elevating your email security.

What You Can Do Now

There's no single fix for a threat that operates as a platform. But there are concrete steps that make your organization a harder target:

Move Toward Phishing-Resistant Authentication

FIDO2 hardware security keys and passkeys are resistant to AiTM attacks because they bind authentication to the legitimate domain—a phishing proxy can't intercept them. If you haven't started evaluating these options, now is the time.

Implement Conditional Access Policies

Restrict login approvals based on device compliance, location, and risk signals. This adds friction for attackers even if they obtain valid credentials and MFA tokens.

Monitor for Post-Compromise Indicators

Watch for new MFA device registrations, unusual token activity, sign-ins from unfamiliar locations, and changes to mail forwarding rules. These are the early signs that a credential theft campaign has succeeded. As we discussed in our article on incident response planning, having detection and response procedures in place before something happens is what separates a contained incident from a breach.

Update Security Awareness Training

Training should reflect the current reality: phishing emails now look professional, contextually appropriate, and technically convincing. The focus should be on building a verification mindset—questioning unexpected requests regardless of how legitimate they appear—rather than relying on employees to spot red flags that no longer exist.

Layer Your Defenses

No single control stops a modern PhaaS campaign. Effective protection comes from layering security measures—combining email filtering, authentication controls, endpoint monitoring, and employee training so that a failure at one layer doesn't mean a complete breach.

The Shift Is Already Here

Phishing-as-a-service platforms represent a fundamental shift in how credential theft campaigns operate. They're no longer limited by the skill of the attacker or the effort required to build infrastructure. They're products—designed for scale, sold on subscription, and engineered to bypass the defenses most businesses rely on.

The organizations that adapt are the ones that stop treating phishing as an email problem and start treating it as a systems problem. That means investing in detection, response, and authentication controls that assume some phishing will get through—because with platforms like these, it will.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified professionals to assess their specific circumstances and develop appropriate protective measures.