Here’s how phishing kits levelled up in 2025 – and what 2026 has in store

In 2025, phishing kits stopped being basic. Clunky fake login pages are out, and sophisticated industrial-grade phishing is in. 

New research from the threat team at Barracuda shows that the number of known phishing-as-a-service (PhaaS) kits doubled during 2025, and 90% of high-volume phishing campaigns they tracked relied on these ready-made toolchains. It means criminals don’t need advanced tech skills to launch complex social engineering attacks at scale – the barrier to entry is getting lower all the time. 

New kits have stuck to familiar lures (invoices, HR policy updates, legal docs, ‘please sign this DocuSign’) but delivery has levelled up. According to the research, QR codes embedded within an email are a rising tactic to get victims onto their smartphones, enabling criminals to bypass multiple desktop controls.

Barracuda’s technique breakdown reads like a modern kit feature list:

• URL obfuscation showed up in 48% of attacks, often with open redirects and human verification steps
• MFA bypass (including session cookie theft) was also seen in 48%
• CAPTCHA abuse hit 43% – not to stop bots, but to add legitimacy and hide the real destination

And the long tail is dangerous too: polymorphic changes to headers/bodies/destinations (20%), malicious QR codes (19%), attachments (18%), plus smaller-but-nasty tactics like Blob URIs (2%) and ClickFix ‘copy/paste this command’ social engineering (1%).

The newest kits are achieving a level of stealth not seen in previous versions. 

They’ve become very effective at wasting analyst time with obfuscation layers and anti-debugging; defeating automated analysis like anti-bot; geofencing and fingerprinting; and mimicking systems that make the victim feel like nothing is out of the ordinary, like post-theft redirects to innocuous pages. 

The research points to a busier kit market with incumbents like Tycoon 2FA and Mamba 2FA now competing with the newer names of Cephas, Whisper 2FA, and GhostFrame.

As the technology embedded in the kits keeps advancing, they’re becoming harder to detect. Some can integrate directly with legitimate Microsoft APIs to validate stolen credentials/tokens and improve takeover success rates. Others can appear harmless to static scanning tools using dynamic subdomains and staged iframes. 

According to Barracuda’s researchers, it’s not just new threat groups keeping up with these developments – with a late-2025 surge of close to 10 million attacks from the old player Mamba 2FA.

What to expect in 2026: more delivery engineering, more MFA workarounds

Based on this research (and some further reading), here are two ways we expect phishing kits to evolve over the coming year: 

1. Spoofing and routing tricks will get more operational. Microsoft warns about phishing actors exploiting routing complexity and misconfigurations to spoof domains – and reports Defender for Office 365 blocked 13 million+ Tycoon2FA-linked emails in October 2025 alone. That’s not luck, but technique matched with scale.
2. QR-based and mobile-first phishing will keep rising. APWG’s Q3 2025 data includes 716,306 unique malicious QR codes detected for phishing (up 13% QoQ). Pair that with Barracuda’s findings on QR evasion (splitting/nesting QR codes) and it’s hard not to see 2026 as the year QR becomes a default option in many kits.

How can defenders protect against these sophisticated kits?

There’s a strong argument here to move towards phishing-resistant MFA, and tighten session and token controls (because cookie theft is the new password spray). 

We also need to treat QR codes and human verification steps as first-class indicators in email and user training.

And organisations should invest in detection that handles obfuscation and staged delivery (think dynamic subdomains, iframes, Blob URIs), plus monitoring that spots account takeover early.

In 2025, kits got better at looking real. In 2026, they’ll get better at operating for real.