Phishing has consistently served as a primary initial access vector into corporate infrastructures for many years. Despite the widespread implementation of multifactor authentication (MFA) and substantial corporate investments in spam filtering, email security, and security awareness training, threat actors continue to heavily leverage this attack vector with high success rates.
Simultaneously, another aspect of this cyberthreat is evolving: the phishing-as-a-service (PhaaS) market. Vendors in this space no longer limit themselves to selling static phishing kits; instead, they have transitioned to full-fledged product pipelines. Their offerings now feature admin panels, bot integration, anti-bot evasion mechanisms, turnkey infrastructure, modules designed to intercept one-time passwords (OTPs) and verification codes, and capabilities for delivering malicious payloads via attachments.
Email remains the primary vector for phishing attacks, making its protection a top priority. Modern security tools and a well-architected perimeter defense successfully block a substantial volume of automated, mass-scale attacks while mitigating the risks of domain spoofing and malicious attachment delivery. Nevertheless, cybercriminals continuously increase the sophistication of their tactics and learn to bypass these defenses. This evolution is driven in part by the advancement of phishing campaign infrastructure and the PhaaS model, which collectively undermine the efficacy of traditional security solutions.
This report explores the core capabilities of email security systems, alongside the potential blind spots that threat actors can exploit.
Report objectives:
- Analyze phishing attack trends and key metrics for 2025.
- Examine dark web forum data to illustrate the current economic state of the phishing-as-a-service (PhaaS) market.
- Map out modern email phishing attack chains and detail the evasion techniques cybercriminals use to bypass security controls.
- Identify and compare the core capabilities of modern email security tools.
This report contains data on both active and defunct dark web forums. The findings are based on Positive Technologies' internal expertise, reports from leading cybersecurity vendors, data from popular cybercriminal underground platforms, and open-source information from government security services and law enforcement agencies. Additionally, we analyzed intelligence gathered from the Telegram channels of cybercriminal groups and hacktivists.
The goal of this report is to raise awareness among enterprises, government organizations, and individuals interested in cybersecurity regarding the latest phishing tactics and effective defensive measures. The terminology used throughout this report can be found in the glossary on the Positive Technologies website.






