Microsoft Finds Phishing Op Behind Enterprise Campaigns

A phishing-as-a-service (PhaaS) operation, dubbed BulletProofLink and discovered by Microsoft, has been behind a number of phishing campaigns against the private sector.

Researchers at the tech giant uncovered the operation after finding a campaign that used more than 300,000 “newly created and unique subdomains” in a single run. The operation sells phishing kits, email templates, hosting and automated services—all at fairly low prices. Microsoft explained that some PhaaS groups offer everything needed for a campaign from soup to nuts—template creation, hosting and overall orchestration. That’s a lucrative business model for their “clientele.” Those service providers also offer a hosted scam page solution called fully undetected, or FUD, links. That’s their own marketing term meant to assure customers that the links are viable until users click them.

AWS Builder Community Hub

“With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” the Microsoft 365 Defender Threat Intelligence Team wrote in a blog post. “BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.”

Microsoft researchers found that the operation promoted a phishing technique called “double theft,” in which a campaign can monetize in multiple ways since the miscreants send stolen credentials to both the phishing-as-a-service operator and their customers.

BulletProofLink, by its own account, has been around since 2018 and in that time has maintained a number of sites such as BulletProftLink, BulletProofLink and Anthrax. That includes YouTube and Vimeo pages that provide instructional advertisements.

Researchers at Microsoft found that the operation has “a highly flexible business model” and provides more than 100 templates. “This business model allows customers to buy the pages and ‘ship’ the emails themselves and control the entire flow of password collection by registering their own landing pages or make full use of the service by using the BulletProofLink’s hosted links as the final site where potential victims key in their credentials,” Microsoft said. “The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party.” Campaigns aren’t identical—they can be identified by phishing page source code, PHP password processing sites and the infrastructure they use in larger campaigns.

“The cybercrime ecosystem is a complex ecosystem with many specialized providers. The people who write ransomware may not have the same skillset to accomplish phishing,” said John Bambenek, principal threat hunter at Netenrich. “Just as cloud providers and SaaS providers make a lot of sense for companies, this is just as true for criminals.”

Even as Microsoft monitored BulletProofLink, the operation’s online store was revised multiple times—notably, pricing for the service went missing from the sign-in page for the operation’s monthly subscription.

While the Microsoft analysis didn’t reveal who the miscreants behind BulletProofLink are, “the problem isn’t that we don’t know who they are,” Bambenek said. “The problem remains that it’s difficult to bring them to justice even when we do. Crime on the internet still pays.”

Guarding against these kinds of operations comes down to going back to basics. “Good password hygiene must play a significant role in all employee cyber awareness training,” said Joseph Carson, chief scientist and advisory CISO at ThycoticCentrify.

“The average employee isn’t properly trained in cyber hygiene and best practices, making them easy targets for cybercriminals looking to access an organization’s networks quickly and easily via a phishing attack,” said Carson. “Ensuring that employees at all levels of the business are given cyber awareness training can be a significant step to help reduce the success rate of an attack or, at the very least, raise a flag.”

Normalizing training within the culture of the workplace, he said, helps businesses “maintain vigilance for these practices in the long term.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 194 posts and counting.See all posts by teri-robinson