With Caffeine, a new Phishing-as-a-Service (PhaaS) platform, a threat actor can easily launch attacks by making use of the open registration process feature that allows anyone to launch their own phishing campaigns.  

Mandiant discovered and tested Caffeine and called it dangerous given its low barrier for entry. Caffeine was first spotted while targeting one of Mandiant's clients to steal Microsoft 365 account credentials.

Why Caffeine?

  • A threat actor prefers Caffeine because it doesn't require invites/referrals, nor does it require any approvals from a hacking forum or a Telegram admin.
  • Caffeine’s phishing templates aim for the Russian and Chinese platforms, unlike most PhaaS platforms that target Western services.

Caffeine features

  • To access Caffeine, an account is a must, after which the operator gets immediate entry to the store that contains phishing tools and an overview dashboard.
  • Purchasing a subscription license is a must for an operator and its cost ranges from $250/month, $450 for three months, or $850 for six months, depending on the features.
  • What makes Caffeine subscription 3–5 times costlier than its contemporaries is that it offers anti-detection and anti-analysis systems and customer support services.

Phishing campaign

  • After phishing campaign parameters are set, operators will deploy a phishing kit, before selecting a phishing template.
  • Analysts believe that Caffeine will add more phishing templates soon, including Microsoft 365 and other lures tailored for Chinese and Russian platforms.
  • Phishing emails can additionally be sent out using the platform's PHP-based email management utility, implying that external tools aren't required.


Researchers at Mandiant have outlined methods for detecting and catching Caffeine-based phishing emails. They, however, have highlighted the possibility that fraudsters may adopt new evasion strategies. In the quest for automated platforms to expand their operations, Caffeine subtly promotes itself as a go-to option for low-skilled cybercriminals.
Cyware Publisher