The Gist
Identity-driven attacks are no longer just a tactic—they’re a thriving cybercrime industry.
According to eSentire’s Threat Response Unit, identity-based attacks surged 156% between 2023 and early 2025. Today, they account for nearly 60% of all major investigations.
So what’s behind the spike?
As Infosecurity Magazine reports, there’s now a booming black-market business focused on stealing employee login credentials—especially from finance and leadership teams. And it has a name: PhaaS, short for Phishing-as-a-Service.
Like SaaS for cybercriminals, PhaaS platforms like EvilProxy and Tycoon 2FA offer ready-to-use kits designed to steal business credentials, bypass MFA, and launch highly targeted campaigns. These services are cheap, scalable, and frighteningly effective.
How PhaaS (Phishing-as-a-Service) Works
There’s now an entire ecosystem and underground economy built to help attackers target your business employees. These attackers aren’t going after random consumers—they’re impersonating your employees, especially those with access to sensitive workflows.
Once inside, they can:
- Bypass perimeter defenses
- Masquerade as trusted colleagues
- Hijack payment approvals, vendor interactions, and financial systems
Their toolkit includes:
- Infostealers that harvest login credentials
- Phishing-as-a-Service kits that mimic internal emails with frightening accuracy
- GenAI tools that scrape LinkedIn, train on company emails, and generate convincing deepfake communications
In one breach earlier this year, 6 million records were stolen from Oracle Cloud’s SSO—including passwords and manager access keys. That data is now circulating on dark web marketplaces—ready to be used for highly targeted impersonation campaigns.
And here’s the hardest part: Most of these attacks don’t trip alarms.
They use real credentials, exploit real workflows, and blend into business-as-usual—until the damage is done.
Trustmi’s Take
You’re not just up against cybercriminals—you’re up against an industry.
With PhaaS kits, GenAI automation, and credential marketplaces, cybercriminals can now operate with scale, speed, and surgical precision. They don’t break in—they log in.
They know exactly who to impersonate, what to ask for, and when your processes are most vulnerable. That’s why visibility across systems, behaviors, and approvals is no longer optional. It’s essential.
In a world where:
- Your ERP is a target
- Your emails are mimicked
- Your logins are for sale
The only real defense is intelligence that sees across systems and flags what doesn’t belong.
Want to see how PhaaS attacks unfold? Watch Episode 2 of our webinar series for a live hacking demo of AI-enhanced identity attacks.
