MSSP, Managed Security Services, Email security, Endpoint/Device Security, AI benefits/risks, Generative AI, Attack surface management, Cloud Security, Data Security, Network Security, Phishing, SOC, EDR, MDR

AI-Powered Phishing Puts MSSPs on the Defensive: Barracuda

A computer screen displays a digital alert of an email phishing threat, accompanied by a striking red warning sign.

Among the earliest impacts of generative AI in cybersecurity was that it enabled threat actors to write more convincing phishing emails, removing many of the telltale signs like awkward phrasing and misspellings in the messages.

Since then, threat groups have more tightly embraced AI in phishing, a trend that is putting more pressure on MSSPs and corporate security teams at a time when email is a key target used in identity-based attacks, according to Merium Khalid, director of SOC offensive security in the office of the CTO at Barracuda Networks.

“AI’s impact on phishing has clearly moved beyond improving email copy,” Khalid told MSSP Alert. “Barracuda research shows that AI is now being used to industrialize phishing operations, primarily through the rapid growth of phishing-as-a-service [PhaaS] platforms. These platforms package templates, fake login pages, hosting infrastructure, automation, and analytics into subscription-based kits that significantly reduce the skill barrier for malicious actors.”

The result is that phishing campaigns are being initiated more rapidly and at a larger scale, she added. In its recent 2026 Email Threats Report, Barracuda researchers found that 90% of high-volume phishing campaigns relied on PhaaS kits and that 48% of malicious email activity is phishing.

A Strategic Shift

At the same time, there has also been a strategic shift among cybercriminals from over malware delivery methods to what Khalid said are more covert tactics, like moving from file-based payloads to URL-based distribution, exploiting trusted platforms, using QR codes that direct targets to phishing destinations, and abusing compromised accounts to deliver credible messages from legitimate inboxes.

These are designed to evade detection and delay a response from defenders.

“The practical effect is that phishing is no longer just about tricking an individual user with a well‑written email. It’s about scaling credential theft, enabling account takeover, and sustaining access by exploiting trust, identity, and routine business workflows.

The Barracuda researchers analyzed more than 3.1 billion emails, and their report also addressed other email threats, such as business email compromise (BEC), impersonation, malicious attachments, and account takeover. AI is playing an increasingly larger role in all of them.

Centralized PhaaS Platforms

Other cybersecurity firms are also seeing a rapid increase in the sophistication of phishing operations. Researchers with Group-IB late last month wrote about their discovery of the “Phoenix System” administrative panel, a centralized PhaaS platform that includes real-time monitoring of victims, geofencing, and live-phishing interventions to bypass multifactor authentication (MFA) protections.

Pointing to the Phoenix Systems – as well as another called “Mouse System” – the researchers wrote that “by centralizing infrastructure within a unified backend, the platform supports multi-region and multi-vertical campaign deployment while embedding automation that lowers the technical barrier to entry.”

The Challenge for MSSPs, Security Teams

Defenders, including SOCs and MSSPs, need to understand that email is being targeted as more than a channel for delivering malicious files, and that identity abuse is now a routine risk rather than an edge case, Khalid said.

This means that defenders need to employ more than standalone email filtering, she said. It requires a layered approach that combines advanced email protection with identity controls, real-time link analysis, and automated incident response.

They also need “need visibility into behaviors that signal compromise, such as unusual login activity or suspicious mailbox rule changes, and the ability to act quickly to contain incidents before attackers can establish persistence or launch follow‑on attacks, Khalid said.

Threats Multiplied for MSSPs

For MSSPs, which can have dozens of clients, phishing is now both higher in volume and more demanding operationally. According to Barracuda’s research, once a bad actor takes over an account, they follow with quiet persistence tactics, like manipulating inbox rules, impersonating trusted users, and running internal phishing campaigns.

“As PhaaS drives attack scale, the sheer number of malicious and unwanted emails increases alert fatigue and raises the likelihood that something slips through,” she said. “At the same time, the attacks that do succeed tend to be more subtle and longer‑lived, particularly once an account is compromised.”

While they don’t always kick off immediate alerts, they do require investigation, commitment, and constant monitoring, and usually across the environments of multiple clients. This means that “MSSPs are feeling this evolution as they spend more time on identity‑driven incidents, face greater pressure to detect compromise early, and need to respond faster to prevent downstream damage, such as business email compromise, or internal phishing propagation,” Khalid said.

Phishing 'High-Volume, Fast-Moving'

The technology that is being developed to defend against such attacks is making it less complex for attackers.

“PhaaS has transformed phishing into a high-volume, fast-moving operation, accelerating the launch of campaigns and increasing their chances of success,” the report’s authors wrote. “Today’s most sophisticated PhaaS platforms operate as advanced man-in-the-middle proxies, offering attackers tools to intercept and manipulate multifactor authentication – including real-time MFA interception and spoofing – making credential theft and account compromise easier than ever before.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.
Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds