Phishing Attacks: The Evolving Threat Landscape
They’re Using Embedded Images
Recorded Future’s LaTulip comments: “This type of attack is an evolution of the more traditional, text-based phishing and is the criminals’ response to advances in email security filters. Embedded images are used to bypass the email filters, with the image used to disguise malicious content or links.”
Following these images will lead unsuspecting employees to either credential-harvesting or exploit-loaded websites.
Criminals may also continually edit and adapt images by changing colors or size, “This is often done to keep an image fresh, so that it increases its chances of avoiding detection.”
They’re Using Russian Fronts
KnowBe4 reports a surge in phishing campaigns leveraging Russian (.ru) top-level domains from December 2024 to January 2025.
The KnowBe4 Threat Research team noted a 98% rise in these phishing campaigns, which are primarily aimed at credential harvesting.
Some Russian .ru domains are run by so-called “bullet-proof” hosting providers, outfits known to keep malicious domains running and ignore abuse reports against sites run by their cybercriminal customers.
They’re Supercharging Intel Gathering
On the dark web and hacker forums, AI-assisted toolsets have become increasingly common.
“These tools can scrape social media posts and even identify a user’s exact geolocation through images and posts — an increasingly prevalent tactic,” Huntress’ Linares says.
Other intelligence-gathering tools focus on organizations rather than individuals. These can scrape LinkedIn, recruitment sites, DNS records, web hosting services, and third-party service providers to uncover valuable insights about a company’s infrastructure, software stacks, internal tools, employees, office locations, and other potential targets for social engineering or cyberattacks.
Sophisticated attackers are also repurposing legitimate marketing tools and platforms to identify prime opportunities for SEO hijacking and phishing attacks, maximizing the reach and effectiveness of scams.
They’re Professionalizing with PhaaS
Phishing-as-a-service (PhaaS) kits are expected to account for half (50%) of credential theft attacks in 2025, up from 30% in 2024, according to cybersecurity vendor Barracuda.
Barracuda predicts these platforms are evolving to include features that allow cybercriminals to steal multi-factor authentication (MFA) codes and employ more advanced evasion techniques, such as the use of QR-based payloads.
PhaaS platforms offer a subscription-based suite of tools and services, including dashboards and stolen credential storage, that facilitate phishing attacks. These cybercrime-enabling toolkits are sold through Telegram, dark web forums, and underground marketplaces. Subscriptions cost from $350 per month, according to cyber threat management firm Adarma.
The most widely-used such platform — Tycoon 2FA — blamed by Barracuda for 89% of observed PhaaS incidents harnesses encrypted scripts and invisible Unicode characters to evade detection, steal credentials, and exfiltrate data via Telegram.
Built for adversary-in-the-middle attacks, Sneaky 2FA abuses Microsoft 365’s ‘autograb’ feature to pre-populate fake login pages, filtering out non-targets and bypassing 2FA, as explained in a recent technical blog post by Barracuda.
## Conclusion
Phishing attacks have evolved to become more sophisticated, with criminals using embedded images, Russian fronts, and advanced intelligence-gathering tools to target unsuspecting employees. The rise of PhaaS kits is expected to account for half of credential theft attacks in 2025, and these platforms are evolving to include features that allow cybercriminals to steal MFA codes and employ advanced evasion techniques.
### FAQs
* What is the primary purpose of phishing attacks?
+ Credential harvesting and exploit-loaded websites
* What is the rise in phishing campaigns leveraging Russian top-level domains?
+ 98% rise in phishing campaigns from December 2024 to January 2025
* What is PhaaS (Phishing-as-a-Service)?
+ A subscription-based suite of tools and services that facilitate phishing attacks
* What is the expected percentage of PhaaS kits in credential theft attacks in 2025?
+ 50%
* What is the cost of PhaaS subscriptions?
+ From $350 per month
