How did CaaS come about?<\/h2>
It’s difficult to pinpoint exactly when CaaS emerged, but the concept has its roots in “kits” for phishing and exploit campaigns, which enable non-experts to purchase the technical components and deploy an attack themselves. As underground vendors recognized the economic potential of packaging tools and capabilities for sale, they took the idea further and began offering end-to-end services.<\/p>
Phishing-as-a-Service, for example, packages phish kits with email templates, landing page hosting services, and tools to capture victims’ credentials. For as low as $50 per month, an actor can rent a kit and set their operations on autopilot, reaping the rewards with almost no effort 1<\/a><\/sup> In the Ransomware-as-a-Service (RaaS) model, which has now become the norm for ransomware, vendors develop ransomware and work with “affiliates” who hack a network and deploy the ransomware. The ransomware group then negotiates with victims on the affiliate’s behalf, and profits are shared between the group and the affiliate in a transparent, publicly advertised royalty split.<\/p> With ongoing development of the cybercrime economy, the end-to-end CaaS model for specialized attacks such as phishing or ransomware has given way to a decentralized ecosystem of providers, each playing a specialized role in an attack:<\/p> Developers <\/strong>create the technical components, whether that’s phish kits, malware such as infostealers, or ransomware. <\/p> Access brokers<\/strong> breach computer systems, networks, and accounts, then monetize access—they sell the keys to the treasure chest, not the treasure itself. Access brokers sell everything from VPN logins and remote access credentials to company directories and admin privileges. <\/p> Operators<\/strong> use technical tools created by developers and access that’s bought or leased from brokers to deploy attacks. Operators are end users and could include ransomware affiliates, data extortion groups, cyber mercenaries, or nation-state actors. <\/p> This division of labor can be found in various types of attacks, thereby increasing efficiency and effectiveness and lowering prices. As CaaS has professionalized, vendors have adopted the structures of legitimate tech companies with branded services, marketing, tiered pricing, and even tech support.<\/p> Just as AI is empowering modern businesses to be more efficient, it is doing the same for the CaaS economy. AI is already beginning to streamline processes across the CaaS ecosystem, making cybercrime faster, easier, cheaper, and more effective. Operators can use AI to write effective phishing emails free of telltale grammar and spelling errors, and automate targeted spear phishing attacks. Ransomware groups are using AI translation tools for real-time negotiations. Access brokers can use AI to scan systems for vulnerabilities, finding chinks in the armor they can exploit, and then escalate privileges of stolen user accounts without human intervention.<\/p> Microsoft’s threat analysts and digital crimes specialists track cybercrimes worldwide to understand the evolution and how to stay ahead of emerging threats. The 2025 Microsoft Digital Defense Report (MDDR) will break down recent developments and what organizations and individuals can do to protect themselves. Come back when the report is available for download on October 16, 2025.<\/p>\n","protected":false},"excerpt":{"rendered":" Cybercrime-as-a-Service (CaaS) is a business model that enables threat actors to deploy cyberattacks with little or no technical expertise. Learn more about this increasingly robust underground economy.<\/p>\n","protected":false},"author":23,"featured_media":2454,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_microsoft_sidebar_content":"\n Share<\/p>\n\n\n<\/div>\n\n\n\n The cybercrime landscape now looks increasingly like a shadow version of the tech industry with similar tools, practices, and technological innovations.<\/p>\n<\/blockquote>\n","_microsoft_bottom_content":"\nCaaS today<\/h2>
What’s next?<\/h2>
Learn more<\/strong><\/h2>
5 things you need to know about tracking today's nation-state threats<\/a><\/h2>\n\n\n\n
<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
Microsoft\u2019s Digital Crimes Unit helps the law move at the speed of cybercrime<\/a><\/h2>\n\n\n\n
<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n
![\"Blog](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/12\/DCU-Disruption-Operation-Pin-Blog-Header_1280p.jpg\")
<\/a><\/figure>\n\n\n\nTargeting the cybercrime supply chain<\/a><\/h3>\n<\/div>\n\n\n\n
\n <\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
![\"Blog](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/12\/FY25_Q4_PA_Cybersecurity__Blog-Header-1web.webp\")
<\/a><\/figure>\n\n\n\nDisrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool<\/a><\/h3>\n<\/div>\n\n\n\n
\n <\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
![\"Story:](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/11\/HEADER_DCU-1024x436.webp\")
<\/a><\/figure>\n\n\n\nThe CyberPeace Institute is helping NGOs defend themselves\u2014before it\u2019s too late<\/a><\/h3>\n<\/div>\n\n\n\n