11 ways cybercriminals are making phishing more potent than ever

Recorded Future’s LaTulip comments: “This type of attack is an evolution of the more traditional, text-based phishing and is the criminals’ response to advances in email security filters. Embedded images are used to bypass the email filters, with the image used to disguise malicious content or links.”

Following these images will lead unsuspecting employees to either credential-harvesting or exploit-loaded websites.

“Criminals may also continually edit and adapt images by changing colors or size,” LaTulip says. “This is often done to keep an image fresh, so that it increases its chances of avoiding detection.”

They’re using Russian fronts

KnowBe4 reports a surge in phishing campaigns leveraging Russian (.ru) top-level domains from December 2024 to January 2025.

The KnowBe4 Threat Research team noted a 98% rise in these phishing campaigns, which are primarily aimed at credential harvesting.

Some Russian .ru domains are run by so-called “bullet-proof” hosting providers, outfits known to keep malicious domains running and ignore abuse reports against sites run by their cybercriminal customers.

They’re supercharging intel gathering

On the dark web and hacker forums, AI-assisted toolsets have become increasingly common.

“These tools can scrape social media posts and even identify a user’s exact geolocation through images and posts — an increasingly prevalent tactic,” Huntress’ Linares says.

Other intelligence-gathering tools focus on organizations rather than individuals. These can scrape LinkedIn, recruitment sites, DNS records, web hosting services, and third-party service providers to uncover valuable insights about a company’s infrastructure, software stacks, internal tools, employees, office locations, and other potential targets for social engineering or cyberattacks.

Sophisticated attackers are also repurposing legitimate marketing tools and platforms to identify prime opportunities for SEO hijacking and phishing attacks, maximizing the reach and effectiveness of scams.

They’re professionalizing with PhaaS

Phishing-as-a-service (PhaaS) kits are expected to account for half (50%) of credential theft attacks in 2025, up from 30% in 2024, according to cybersecurity vendor Barracuda.

Barracuda predicts these platforms are evolving to include features that allow cybercriminals to steal multi-factor authentication (MFA) codes and employ more advanced evasion techniques, such as the use of QR-based payloads.

PhaaS platforms offer a subscription-based suite of tools and services, including dashboards and stolen credential storage, that facilitate phishing attacks. These cybercrime-enabling toolkits are sold through Telegram, dark web forums, and underground marketplaces. Subscriptions cost from $350 per month, according to cyber threat management firm Adarma.

The most widely-used such platform — Tycoon 2FA — blamed by Barracuda for 89% of observed PhaaS incidents harnesses encrypted scripts and invisible Unicode characters to evade detection, steal credentials, and exfiltrate data via Telegram.

Built for adversary-in-the-middle attacks, Sneaky 2FA abuses Microsoft 365’s ‘autograb’ feature to pre-populate fake login pages, filtering out non-targets and bypassing 2FA, as explained in a recent technical blog post by Barracuda.