A new report out today from Barracuda Networks Inc. has detailed how phishing attacks grew more sophisticated and harder to detect in 2025 thanks to the rapid evolution of phishing-as-a-service kits that are increasingly incorporating multifactor authentication bypass, artificial intelligence-generated content and advanced evasion techniques.

According to Barracuda’s “Threat Spotlight: How phishing kits evolved in 2025” report, 90% of high-volume phishing campaigns observed over the past year relied on phishing kits sold or rented as services.

The number of known phishing kits doubled during 2025 and, in doing so, lowered the barrier to entry for less-skilled attackers while also raising the technical sophistication of attacks. Many of the newest kits were also found to be stealthier, more modular and better equipped to evade modern security controls than previous generations.

By types of phishing attacks, most remained similar to previous years, including payment and invoice fraud, voicemail scams, digital signature requests, financial and legal document lures and human resources-related messages. However, according to the report, the standout difference was the level of realism used in phishing attacks.

Not surprisingly, attackers were found to be increasingly using generative AI to produce highly convincing emails that closely matched the tone, branding and writing style of legitimate services such as those from Microsoft Corp. and Docusign Inc. QR codes were also frequently embedded in emails and documents in an attempt to move victims from corporate desktops to less-protected mobile devices.

Barracuda’s researchers found that advanced techniques were present in a significant portion of attacks.

Multifactor authentication bypass and URL obfuscation were observed in 48% of phishing campaigns and CAPTCHA abuse appeared in 43%. Malicious QR codes were used in nearly one-fifth of attacks, with some campaigns splitting or nesting QR codes to evade detection by email security tools.

The report also digs into various new phishing kits that entered the market in 2025, including Sneaky 2FA, Cephas, Whisper 2FA and GhostFrame.

The kits employ tactics such as adversary-in-the-middle attacks, heavy JavaScript obfuscation, browser-in-the-browser techniques and dynamic subdomain generation to steal credentials and session cookies while avoiding automated analysis.

Established kits remain active as well, with Barracuda recording close to 10 million attacks linked to the long-running Mamba 2FA kit in late 2025 alone.

“2025 witnessed an explosion in the number of phishing kits,” the report said. “Newcomers are developing and scaling rapidly and creating a varied and crowded threat landscape that brings new challenges for defenders.”

The report warns that traditional defenses are no longer sufficient to counter the scale and sophistication of modern phishing campaigns. Organizations are being advised to adopt AI-powered security platforms, strengthen authentication and access controls and invest in regular employee security awareness training to reduce the risk posed by evolving phishing threats.

Image: SiliconANGLE/Ideogram