New Delhi, March 13 -- Poorly written emails with spelling mistakes and obvious deception were once a clear marker of phishing attacks. These unrefined and isolated scams have given way to campaigns using industrialised Phishing-as-a-Service (PhaaS) platforms. PhaaS kits enable even less-skilled attackers to launch sophisticated targeted campaigns at scale with minimal effort.
In 2025, Barracuda threat researchers found that the number of phishing kits in use doubled and they now underpin a big portion of phishing activity, with approximately 90 per cent of high-volume phishing campaigns leveraging PhaaS kits.
How PhaaS has changed the threat landscape
Modern phishing kits are not simple email templates. They are ready-made attack platforms that automate email delivery, credential harvesting, infrastructure management, and evasion techniques. Kits are continuously refined, updated and resold, mirroring legitimate software development cycles and making phishing both scalable and repeatable.
The consequences of a successful phishing attack extend far beyond compromised inboxes. Successful attacks can lead to credential theft, account takeover, lateral movement, ransomware deployment, and extortion. These kinds of incidents often result in business disruption, including downtime and reputational damage.
Phishing kits have also affected how attacks evade detection, making prevention and mitigation harder than ever. Multi-factor authentication (MFA), while essential, is no longer sufficient on its own. Research reveals that 48 per cent of phishing attacks now bypass MFA, most commonly through adversary-in-the-middle techniques that intercept session tokens in real time. Other techniques seen include URL obfuscation (48%), CAPTCHA abuse (43%) and malicious QR codes (19%).
Attackers increasingly abuse trusted platforms, generative AI and no-code tools to blend malicious content into otherwise legitimate workflows. While email themes remain familiar, for example, payment demands, HR updates and document sharing, the execution has become convincing, personalised, and difficult to distinguish from genuine business communications.
GhostFrame: a new super stealthy phishing kit
An example of how phishing kits are evolving is a phishing kit first identified in September last year. GhostFrame hides all malicious content inside embedded iframes, leaving the visible HTML page seemingly harmless to static scanners.
GhostFrame employs a two-stage attack architecture, where the primary phishing page is a harmless looking html page randomly generated for each target that does not include any phishing elements. Within this page, however, there are embedded pointers that take targets to a secondary phishing page through an iframe. The iframe design allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit. It also incorporates anti-analysis and anti-debugging techniques, making detection and investigation significantly more difficult. Within months of discovery, over one million attacks were linked to GhostFrame, illustrating how quickly these kits can scale once adopted.
Why traditional defenses are falling short
Many organisations continue to rely on traditional tools designed for a slower threat environment. However, these approaches cannot keep pace with adaptive kits that actively test against security stacks and adjust in near real-time. Even human verification steps such as CAPTCHA and redirect chains are now frequently weaponised by attackers to appear legitimate and evade automated inspection.
Defending against modern phishing requires a layered, adaptive approach. It is recommended to combine phishing-resistant MFA, continuous monitoring and behavioural analysis, and advanced email security capable of inspecting embedded content, iframes and dynamic URLs. Equally important is regular, scenario-based employee training that reflects how phishing actually looks today. Security teams must assume that compromise attempts are continuous, not occasional.
The rise in the number of phishing kits in recent months marks a new challenge for defenders. Entrants like GhostFrame now coexist with highly active legacy kits, expanding both the attack surface and the speed at which threats evolve. Organisations that adapt their defenses now will be far better positioned for 2026 and beyond. Those who do not risk falling behind a threat that has already gone professional.
Published by HT Digital Content Services with permission from TechCircle.