Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts.

“With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report.

“BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.”

The tech giant said it uncovered the operation during its investigation of a credential phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.

Phishing-as-a-service differs from traditional phishing kits in that unlike the latter, which are sold as one-time payments to gain access to packaged files containing ready-to-use email phishing templates, they are subscription-based and follow a software-as-a-service model, while also expanding on the capabilities to include built-in site hosting, email delivery, and credential theft.

Believed to have been active since at least 2018, BulletProofLink is known to operate an online portal to advertise their toolset for as much as $800 a month and allow cybercrime gangs to register and pay for the service. Customers can also avail of a 10% discount should they opt to subscribe to their newsletter, not to mention pay anywhere between $80 to $100 for credential phishing templates that allow them to steal credentials entered by unsuspected victims upon clicking a malicious URL in the email message.

Troublingly, the stolen credentials are not only sent to the attackers but also to the BulletProofLink operators using a technique called “double theft” in a modus operandi that mirrors the double extortion attacks employed by ransomware gangs.

“With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it,” the researchers said. “This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.”