Barracuda researchers identify surge in sophisticated phishing-as-a-service

A recent surge in sophisticated phishing-as-a-service (PhaaS) attacks has been identified by Barracuda researchers, with the emergence of new and rapidly evolving PhaaS kits that are stealing credentials and authentication tokens from Microsoft 365 users. According to Barracuda's Email Threat Radar, one of the most notable PhaaS kits is Whisper 2FA, which has been tracked by Barracuda threat analysts since July 2025.

Whisper 2FA is a stealthy and persistent PhaaS kit that uses advanced web technologies and layered obfuscation to evade both human and technical defenses. Its innovative features include continuous loops to steal authentication tokens, multiple layers of disguise, and devious tactics to obstruct analysis of its malicious code and stolen data. Whisper 2FA is evolving rapidly and presents a considerable threat to organizations, with Barracuda seeing close to a million Whisper 2FA attacks targeting accounts in multiple huge phishing campaigns.

Media additions

Another PhaaS kit that has been identified by Barracuda researchers is Tycoon 2FA, which targets Microsoft 365 accounts and can bypass two-factor authentication. Tycoon 2FA uses a genuine Microsoft login page to intercept users' session tokens and access permissions, allowing attackers to access the victim's email, online files, and linked Microsoft 365 services.

According to Barracuda's 2025 Email Threats Report, email remains the most common attack vector for cyber threats, with malicious attachments and links being used to distribute malware, launch phishing campaigns, and exploit vulnerabilities. The report also notes that one in four email messages is either malicious or unwanted spam, and that 87% of binaries detected were malicious.

The surge in PhaaS attacks has been linked to the increasing use of AI-driven social engineering and phishing-as-a-service, which are making it easier for attackers to launch sophisticated and targeted attacks. As Barracuda notes, the future of defense must evolve just as quickly, with organizations needing to prioritize integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy.

To stay protected, organizations need to move past static defenses and adopt layered strategies, including user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing. As CIO Axis notes, the features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms.

Barracuda's analysis of Whisper 2FA shows similarities with Salty 2FA, a new PhaaS with a focus on stealing M365 credentials reported recently by AnyRun, and notable differences with older, more established rivals like Evil Proxy, such as simplified credential theft that is harder to detect.

The Whisper 2FA phishing kit is evolving rapidly in both technical complexity and anti-detection strategies. Early variants featured text comments added by the developers, a few layers of obfuscation and anti-analysis techniques that focused mainly on disabling the right-click/context menu used in code inspection. The most recent variants seen by Barracuda have no comments, obfuscation has become denser and multi-layered, and new protections have been added to make it harder for defenders to analyze or tamper with the system.

These include tricks to detect and block debugging tools, disable shortcuts used by developers, and crash inspection tools. This variant also allows authentication tokens to be validated in real time through the attacker's command and control system. The features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms, according to Saravanan Mohankumar, Manager, Threat Analysis team at Barracuda.

By combining real-time MFA interception, multiple layers of obfuscation and anti-analysis techniques, Whisper 2FA makes it difficult for users and security teams to detect fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing.

Barracuda's research also notes technical parallels between Whisper 2FA and other recent PhaaS families. Whisper shares certain tactics with Salty 2FA, but differs from longer-established kits like EvilProxy in its use of more sophisticated real-time token validation and denser anti-analysis measures.

Given its scale and agility, Barracuda warns that Whisper 2FA represents a substantial threat to organizations that rely on Microsoft 365 and similar cloud email platforms. The company recommends defenders prioritize phishing-resistant authentication methods, implement continuous anomaly detection for account activity, harden email security controls, and ramp up user awareness training focused on dynamic MFA-bypass techniques.

Barracuda's report on Whisper 2FA provides technical indicators and mitigation guidance for security teams. Organizations should treat the prevalence and rapid evolution of PhaaS offerings as a call to upgrade layered defenses and shorten detection and response times.

According to the report, one in three email messages is malicious or unwanted spam, and 48% of malicious email activity is phishing. The report also notes that 34% of companies experience at least one account takeover incident each month.

To combat the growing threat of PhaaS attacks, organizations need to adopt a multi-layered approach to security, including user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing. By prioritizing integrated email security layered with identity protection and automated response, organizations can reduce the risk of falling victim to PhaaS attacks and stay ahead of the evolving threat landscape.