TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Flashpoint

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Flashpoint Intel Team · 2026-04-10 · Read original ↗

ATT&CK techniques detected

22 predictions
T1566.002Spearphishing Link
87%
"our newsletter phishing is no longer a standalone tactic. it has matured into a service - based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash - out. flashpoint analysts, working…"
T1598Phishing for Information
80%
"( “ fish material ” ) to targeting high - value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds. this highlights how phishing is only the entry point into a broader fraud …"
T1566.002Spearphishing Link
70%
"convincing, localized phishing lures clone brand interfaces with high fidelity optimize campaigns through automated testing and iteration this combination of mfa bypass and ai - driven automation has transformed phishing from a volume - based tactic into a precision - driven acce…"
T1598Phishing for Information
64%
"our newsletter phishing is no longer a standalone tactic. it has matured into a service - based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash - out. flashpoint analysts, working…"
T1586.002Email Accounts
63%
"convincing, localized phishing lures clone brand interfaces with high fidelity optimize campaigns through automated testing and iteration this combination of mfa bypass and ai - driven automation has transformed phishing from a volume - based tactic into a precision - driven acce…"
T1598Phishing for Information
61%
"the phishing - as - a - service pipeline : how a scalable fraud ecosystem is driving global attacks blogs blog the phishing - as - a - service pipeline : how a scalable fraud ecosystem is driving global attacks in this post, we examine how phishing - as - a - service ( phaas ) ha…"
T1566.002Spearphishing Link
57%
"the phishing - as - a - service pipeline : how a scalable fraud ecosystem is driving global attacks blogs blog the phishing - as - a - service pipeline : how a scalable fraud ecosystem is driving global attacks in this post, we examine how phishing - as - a - service ( phaas ) ha…"
T1566Phishing
53%
"convincing, localized phishing lures clone brand interfaces with high fidelity optimize campaigns through automated testing and iteration this combination of mfa bypass and ai - driven automation has transformed phishing from a volume - based tactic into a precision - driven acce…"
T1586.002Email Accounts
47%
"threat actors operate dedicated sms gateway services capable of sending large volumes of messages via apis or bulk uploads. others actively seek advanced spoofing capabilities to bypass authentication controls such as spf, dkim, and dmarc, enabling phishing messages to appear leg…"
T1566.002Spearphishing Link
46%
"( “ fish material ” ) to targeting high - value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds. this highlights how phishing is only the entry point into a broader fraud …"
T1566.002Spearphishing Link
44%
"into subscription - based platforms offering hosting, domain management, campaign tooling, and ongoing support. modern phaas platforms now operate similarly to legitimate saas providers : subscription - based pricing models prebuilt templates for major brands and services integra…"
T1598Phishing for Information
43%
"convincing, localized phishing lures clone brand interfaces with high fidelity optimize campaigns through automated testing and iteration this combination of mfa bypass and ai - driven automation has transformed phishing from a volume - based tactic into a precision - driven acce…"
T1111Multi-Factor Authentication Interception
41%
"into subscription - based platforms offering hosting, domain management, campaign tooling, and ongoing support. modern phaas platforms now operate similarly to legitimate saas providers : subscription - based pricing models prebuilt templates for major brands and services integra…"
T1598Phishing for Information
39%
"understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud. flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, …"
T1566Phishing
37%
"( “ fish material ” ) to targeting high - value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds. this highlights how phishing is only the entry point into a broader fraud …"
T1566.002Spearphishing Link
36%
"understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud. flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, …"
T1566.002Spearphishing Link
36%
"##s, including operations targeting platforms such as tycoon 2fa, demonstrate growing coordination between public and private sector defenders. these efforts have : disrupted infrastructure increased operational costs for threat actors accelerated collaboration between intelligen…"
T1589.001Credentials
36%
"threat actors operate dedicated sms gateway services capable of sending large volumes of messages via apis or bulk uploads. others actively seek advanced spoofing capabilities to bypass authentication controls such as spf, dkim, and dmarc, enabling phishing messages to appear leg…"
T1598Phishing for Information
34%
"into subscription - based platforms offering hosting, domain management, campaign tooling, and ongoing support. modern phaas platforms now operate similarly to legitimate saas providers : subscription - based pricing models prebuilt templates for major brands and services integra…"
T1566Phishing
32%
"into subscription - based platforms offering hosting, domain management, campaign tooling, and ongoing support. modern phaas platforms now operate similarly to legitimate saas providers : subscription - based pricing models prebuilt templates for major brands and services integra…"
T1621Multi-Factor Authentication Request Generation
32%
"into subscription - based platforms offering hosting, domain management, campaign tooling, and ongoing support. modern phaas platforms now operate similarly to legitimate saas providers : subscription - based pricing models prebuilt templates for major brands and services integra…"
T1657Financial Theft
31%
"threat actors operate dedicated sms gateway services capable of sending large volumes of messages via apis or bulk uploads. others actively seek advanced spoofing capabilities to bypass authentication controls such as spf, dkim, and dmarc, enabling phishing messages to appear leg…"

Summary

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.