Caffeine, a previously unknown phishing-as-a-service (PhaaS) toolset, is being used by cybercriminals to scale up their attacks and deliver malicious payloads easily.

“This platform has a simple UI and comes for a relatively moderate cost while offering its criminal customers a plethora of capabilities and tools to orchestrate and automate essential components of their phishing operations,” Mandiant stated in recent research.

The platform’s key capabilities include creating bespoke phishing kits, managing redirect pages, dynamically building URLs containing payloads, and tracking campaign success.

The announcement comes after Resecurity exposed EvilProxy, another PhaaS service offered for sale on criminal forums on the dark web.

However, unlike EvilProxy, whose administrators are known to screen prospective clients before activating subscriptions, Caffeine has an open registration process, allowing anybody with an email address to join the service.

This restriction-free strategy eliminates the need for Caffeine to approach the actors on underground forums or require a reference from an existing user. It also allows Caffeine to increase its clientele and swiftly decrease the barrier to entry.

The PhaaS toolbox further distinguishes itself by providing phishing email templates against Chinese and Russian targets.

“While the use of phishing platforms is not a unique strategy for facilitating attacks, it is worth mentioning that such feature-rich solutions, such as Caffeine, are easily accessible to hackers,” the researchers said.

Most phishing operations, including phony sign-in pages, website hosting, site templates, and credential theft, are generally developed and deployed by an operator.

Because email-based phishing threats have evolved into a service-based economy, adversaries wishing to conduct phishing attacks may now acquire such resources and infrastructure without having to work on it themselves. Caffeine is no different.

To use its extensive capabilities, which include a campaign management dashboard and a set of tools for designing attacks, users must create an account and pay a subscription that costs $250 per month (Basic), $450 for three months (Professional), or $850 for a six-month license (Enterprise).

Caffeine actors are deploying the kits using compromised admin accounts, misconfigured websites, or flaws in web infrastructure platforms. The goal of the phishing campaign is to facilitate Microsoft 365 credential theft via rogue sign-in pages hosted on legitimate WordPress sites.

While the login pages are now confined to Microsoft 365 credential harvesting lures, the Google-owned threat intelligence agency stated that other login page formats may be included in the future based on client demand.

“It’s also crucial to remember that defending against PhaaS attacks may be a cat-and-mouse game,” Mandiant added. “New infrastructure may be set up as rapidly as threat actor infrastructure is taken down.”

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center