A new report from Barracuda Networks shows how phishing attacks became more sophisticated and difficult to detect in 2025. The number of known phishing kits doubled, with 90 percent of large-scale campaigns relying on phishing-as-a-service.
According to Barracuda’s report “Threat Spotlight: How phishing kits evolved in 2025,” 90 percent of large-scale phishing campaigns last year were based on phishing kits that are sold or rented as a service. These kits made it easier for less experienced attackers to carry out attacks, while at the same time increasing technical sophistication.
The fact that phishing-as-a-service is becoming increasingly accessible has been known throughout the year. In early 2025, we reported on LevelBlue research that highlighted this trend. In addition to these ready-made phishing kits, well-known malware families were also easy to use, with the five largest malware families accounting for 60 percent of all observed attacks.
AI makes phishing more realistic
Phishing attacks have remained largely the same, at least on the surface. So-called HR messages, invoice fraud, voicemail scams; they are still popular among attackers. The big difference, Barracuda Networks explains, was in the realism of the attacks. Attackers increasingly used generative AI to produce convincing emails that closely match the tone, branding, and writing style of legitimate services such as Microsoft and DocuSign.
In addition, QR codes were often embedded in emails and documents. The aim was to lure victims away from corporate desktops to less protected mobile devices. Some campaigns even split or nested QR codes to evade detection by email security tools. This form of phishing is also known as ‘quishing’ or ‘qishing’.
Read also: ‘Quishing attacks are on the rise and bypass email security’
Problem on the other side too
Security comes from two sides. More attackers and more complex attack methods contribute to increased cyber risk. However, there is also much room for improvement on the defensive side. This starts with detecting phishing emails, which still seems to be the responsibility of the person receiving the email. Yet recognizing these emails is more difficult than ever. As a result, many employees do not report suspicious emails or fail to recognize them as such. In addition, there is a shortage of security personnel who can respond to reports. There is also often no automated incident response to check inboxes in advance. Furthermore, many users simply assume that security tools are there to provide protection, so they feel they don’t need to be vigilant. All this is evident from another Barracuda Networks report, “The Email Security Breach Report 2025.”.