Security researchers from Mandiant have shed some light on the inner workings of a relatively new phishing-as-a-service (PhaaS) platform called Caffeine that allows even low-skilled hackers launch phishing attacks.

Discovered in March 2022, the platform has an intuitive interface and comes at a relatively low cost while providing a variety of features and tools to orchestrate and automate core elements of phishing campaigns.

Mandiant uncovered Caffeine while investigating a large-scale phishing campaign run through the service, targeting one of the company’s customers to steal Microsoft 365 account credentials.

The features Caffeine provides include self-service mechanisms to create customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity. Another noteworthy aspect is that the platform provides phishing email templates for use against Chinese and Russian targets, which is uncommon for such phishing services. Currently, the templates only target Microsoft Office 365 login pages, but the platform’s operators likely will add more templates to expand the scope of the kit.

“Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user,” Mandiant notes in its report.

Caffeine does not support perpetual use licenses and is wholly subscription based. The base subscription costs $250 a month (the average PhaaS platform varies in costs typically ranging from $50-$80), $450 for three months, or $850 for six months, depending on the features. It includes anti-detection, anti-analysis systems, and customer support services for this price.

“Traditional phishing techniques continue to be a reliable Initial Intrusion Vector (IIV) for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries,” Mandiant concluded.