Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends

For Companies, Suppliers and Decision Makers in the IT Industry

Digital strategy and insights for decision-makers in the IT industry

Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Subscribe
Facebook Twitter Instagram LinkedIn Pinterest
Contact us
Phishing-as-a-Service is gaining momentum – Barracuda sounds the alarm about sophisticated attacks Phishing-as-a-Service is gaining momentum – Barracuda sounds the alarm about sophisticated attacks

Phishing-as-a-Service is gaining momentum – Barracuda sounds the alarm about sophisticated attacks

Mateo SandstrombyMateo Sandstrom
June 16, 2025

A new report from Barracuda Networks shows how criminals have professionalized their phishing campaigns through so-called Phishing-as-a-Service (PhaaS). The report “Email Threat Radar – June 2025” reveals how cybercriminals package and sell ready-made attacks – often targeting users of Microsoft 365 and popular platforms like Upwork.

Among other things, the infamous tool EvilProxy has made a comeback in a new guise. By sending credible emails with fake payment notifications from, for example, Upwork or fake security warnings from Microsoft, the recipient is tricked into giving up their login details. The attackers exploit credible services such as ShareFile and Cloudflare to cover their tracks.

Klas Palmér, Barracuda Networks
Klas Palmér, security expert at Barracuda in Sweden

“These are no longer simple scam emails with bad spelling. These are sophisticated, well-produced attacks where you almost have to be a pro to see that something is wrong,” says Klas Palmér, security expert at Barracuda Networks.

Advertisement

Two other trends also stand out in the report:

  • Invoice fraud in several layers: An increasingly common method is to send attachments in several steps – for example, a .msg document with an embedded image that in turn links to a phishing page.

    This technology makes it difficult for security systems to detect the attack in time and increases the risk that employees, especially in economics– and HR functions, are tricked into approving fraudulent payments or disclosing sensitive information. The consequences can range from financial losses to attackers gaining access to internal systems and data, which in turn can lead to data breaches, identity theft or long-term information leaks.
  • ClickFix – social engineering in a new style: A growing number of attacks are not based on infected attachments, but on the user copying commands into their computer. By using manipulative language and bluffing about canceled hotel reservations or IP attacks, the attacker tricks the user into activating the malware.

– The ClickFix attacks show how far the attackers have come. They make you give up your computer to them with just a few keystrokes, says Klas Palmér.

The report is part of Barracudas ongoing analysis of email threats globally and is based on data from May 2025.

Read the full report here.

Share
Share
Pin it
Tweet
Share
Share
Mateo SandstrombyMateo Sandstrom
Published

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
convendum banner
Advertisement

READ MORE