A new report from Barracuda Networks reveals how criminal groups have professionalized their phishing campaigns through so-called Phishing-as-a-Service (PhaaS). The report, “Email Threat Radar – June 2025,” exposes how cybercriminals package and sell ready-made attacks—frequently targeting Microsoft 365 users and popular platforms such as Upwork.
Notably, the notorious EvilProxy tool has resurfaced in a new form. By sending convincing emails that impersonate payment notifications from services like Upwork or fake security alerts from Microsoft, attackers trick recipients into surrendering their login credentials. Threat actors are also leveraging legitimate services such as ShareFile and Cloudflare to obscure their tracks.
“These are no longer simple scam emails with poor spelling. This is about sophisticated, well-produced attacks where you almost have to be an expert to notice something is wrong,” says Klas Palmér, security expert at Barracuda Networks.
Two additional trends also stand out in the report:
- Multi-stage invoice fraud: An increasingly common tactic is to deliver attachments in multiple steps—for example, a .msg file containing an embedded image that then links to a phishing site. This layered approach makes it harder for security systems to detect the attack promptly and increases the chance that employees—particularly in finance and HR—will be tricked into approving fraudulent payments or disclosing sensitive information. The consequences can range from financial loss to attackers gaining access to internal systems and data, potentially resulting in data breaches, identity theft, or long-term information leaks.
- ClickFix—social engineering reimagined: A growing number of attacks rely less on infected attachments and more on convincing the user to paste and run commands on their own machine. By using manipulative language and fabricated urgencies—such as claims of interrupted hotel bookings or alleged IP attacks—attackers coerce victims into activating malicious code themselves.
“ClickFix attacks demonstrate how far threat actors have evolved. They can get you to hand over your device with just a few keystrokes,” Palmér adds.
The report is part of Barracuda’s ongoing analysis of global email threats and is based on data collected in May 2025.
Read the full report for more details.