The FBI's takedown of a large-scale phishing operation revealed the industrialised infrastructure behind modern phishing campaigns: hosted phishing kits deployed across hundreds of compromised domains, automated email delivery systems rotating through thousands of sending IP addresses, and credential harvesting backends that processed stolen logins in real time and sold them to the highest bidder. The operation had targeted thousands of victims across financial services, healthcare, and government, with an average compromise-to-account-takeover time of under four minutes from the moment a user submitted credentials on a phishing page. Phishing is not a technology problem — it is an economics problem. The attacker's cost to send a million phishing emails is near zero; the victim's cost to have their credentials stolen is enormous. Your email security engineering must make phishing expensive enough to fail against your organisation.
What We'll Cover
What Happened and Why It Matters
The FBI's operation dismantled a phishing-as-a-service (PhaaS) platform — a criminal SaaS product that allowed non-technical attackers to run sophisticated phishing campaigns by subscribing to a ready-made phishing kit, pre-configured landing pages impersonating major banks and enterprise applications, automated email delivery infrastructure, and a backend dashboard showing harvested credentials in real time. The platform had thousands of "customers" — criminal actors who paid a subscription fee to use the infrastructure — making the actual number of direct operators a small fraction of the campaign's total reach.
The PhaaS model is important for engineering teams to understand because it fundamentally changes the sophistication level required to run a phishing campaign. Your organisation is not only being targeted by skilled threat actors — it is being targeted by anyone who can afford a $50/month subscription. The industrialisation of phishing means attack volume is higher, campaigns are more convincing, and the economics make it viable to target even small organisations.
How Industrial Phishing Operations Work
Understanding the technical components of a modern phishing campaign helps engineering teams identify which controls will be most effective:
- Domain spoofing and lookalike domains — Attackers register domains that visually resemble your organisation's domain and configure them with clean SPF and DKIM records to bypass spam filters, making their spoofed emails look more legitimate than many real corporate emails.
- Email delivery infrastructure rotation — Professional phishing operations route email through hundreds of SMTP relay servers, rotating IPs and sending domains to stay ahead of reputation-based filters. They also send during business hours in the target's timezone to mimic legitimate email patterns.
- Real-time credential relay (adversary-in-the-middle) — Modern phishing kits relay credentials in real time to the legitimate service and log the session cookies returned. The victim is seamlessly logged in while the attacker simultaneously has their session cookie — bypassing TOTP-based MFA.
- Contextual targeting and pretexting — Effective phishing emails reference real events: a pending delivery, a recent purchase, a document share from a known colleague. This comes from LinkedIn scraping, breach data on dark web markets, and compromised email accounts from prior campaigns.
Email Security Engineering: The Controls That Actually Work
Email security is one of the highest-ROI security investments an engineering team can make. The following controls directly reduce phishing success rates — both attacks against your users and attacks using your domain to phish others:
- Implement DMARC with a reject policy — DMARC with p=reject means any email that fails SPF or DKIM authentication is rejected outright — preventing attackers from spoofing your domain. Start with p=none to monitor, progress to p=quarantine, then p=reject. Tools like Dmarcian or Valimail simplify the transition.
- Enforce DKIM signing on all outbound email streams — Ensure every email stream — transactional email (SendGrid, SES), marketing email (Mailchimp), internal email (Google Workspace, Microsoft 365) — is DKIM-signing with a 2048-bit key. An unsigned email claiming to be from your domain will fail DKIM verification.
- Deploy anti-phishing training with simulated campaigns — Simulated phishing campaigns test your users' actual response to phishing emails and deliver targeted training to users who click. Tools include KnowBe4, Proofpoint Security Awareness, or the open-source GoPhish. Measure success rate reduction over time, not just training completion.
- Implement FIDO2/WebAuthn (phishing-resistant MFA) — FIDO2/WebAuthn hardware keys (YubiKey) or platform authenticators (Face ID, Windows Hello) bind authentication to the specific domain. A phishing site on a different domain cannot relay the authentication — making it the only fully phishing-resistant MFA standard.
What Engineering Teams Should Do
Email security engineering is not a one-time configuration task — it is an ongoing program. Start with DMARC in monitoring mode, understand your email streams, progress to enforcement, and layer in phishing-resistant MFA and continuous user training. The goal is not to make phishing impossible but to make it expensive enough that attackers move on to easier targets.
Pillai Infotech's cybersecurity engineers implement email security programs — DMARC enforcement, DKIM configuration, Microsoft Defender for Office 365 anti-phishing policies, and simulated phishing programs. For companies building authentication systems, our custom software development practice implements FIDO2/WebAuthn as a standard component of any authentication flow where phishing resistance is required.
Frequently Asked Questions
What is the difference between SPF, DKIM, and DMARC?
SPF specifies which IP addresses are allowed to send email on behalf of your domain. DKIM adds a cryptographic signature to emails that receiving servers verify against your DNS records. DMARC ties both together: it specifies what to do (none/quarantine/reject) when an email fails SPF or DKIM, and enables reporting so you can see who is sending email claiming to be from your domain.
What is a phishing-as-a-service (PhaaS) platform?
A PhaaS platform is a criminal SaaS product enabling non-technical attackers to run sophisticated phishing campaigns via ready-made phishing kits, landing pages impersonating major brands, email delivery infrastructure, and credential harvesting dashboards. Attackers subscribe rather than building their own infrastructure. EvilProxy and Tycoon Group are well-documented examples.
Why is TOTP-based MFA vulnerable to phishing?
Modern adversary-in-the-middle phishing kits relay both the password and the OTP to the legitimate service in real time. The OTP is valid for 30 seconds — long enough to relay. FIDO2/WebAuthn hardware keys are immune because authentication is cryptographically bound to the specific domain — a phishing domain cannot trigger or relay the authentication.
How effective are simulated phishing campaigns?
Research from KnowBe4 and Proofpoint consistently shows organisations that run regular simulated phishing campaigns reduce their phishing susceptibility rate from an industry average of 35-40% to under 5% within 12 months. The key is regularity, variety, and immediate contextual training at the moment a user clicks.
What is a lookalike domain attack and how can we monitor for them?
A lookalike domain registers a visually similar name to your domain to host phishing pages or send spoofed email. Monitor via CertStream (Certificate Transparency logs), DomainTools, or brand protection services from Recorded Future. Proactively registering common typo variations also removes those options from attackers.