Microsoft has laid the groundwork for a broad-scale PHaaS operation (phishing-as-a-service), which includes the sale of phishing kits and email templates and provides low-cost hosting and automated services that enables cyber actors to buy phishing campaigns and deploy them with little effort.
Dubbed BulletProofLink, this operation has over 100 phishing templates that simulate recognized companies and services, and is responsible for many of the phishing operations affecting businesses today. These details were revealed in a report published by Microsoft 365 Defender Threat Intelligence Team on Tuesday.
Also called Anthrax by its operators on different websites, advertisements and other promotional materials, BulletProofLink is utilized by numerous attacker groups in one-off or monthly business models that provide a steady stream of revenues to its operators.
The operation, that first made its appearance to the public in October 2020, was discovered during an investigation into a credential phishing effort that utilized BulletProofLink’s phishing kit on attacker-controlled sites or on sites provided by BulletProofLink as part of their service.
Unlike phishing kits sold as one-time payments for accessing packaged files containing ready-to-use email phishing templates, Phishing-as-a service operates on a subscription-based model or a software-as-a service model. This means that malicious actors who want to subscribe to this model may also make use of services such as site hosting, e-mail delivery and credential stealing.
The stolen credentials are then sent not only to the attackers, they are also sent to the operators of BulletProofLink using a method known as double theft, in the manner that reflects the double extortion attacks of ransomware groups.
Known to be operating since 2018, BulletProofLink keeps a portal that promotes their toolkits, allowing cybercrime gangs to register and pay for the Phishing-as-a-service. If malicious actors choose to subscribe to the newsletters, they may also take advantage of a 10 percent discount. The portal offers carefully crafted credential-phishing templates that sell from $80 to $100 per piece and enable hackers to steal credentials from unsuspecting victims when they click a dangerous URL in their e-mail message.