Microsoft Uncovers BulletProofLink: Major Phishing-as-a-Service Operation

By Ava McKinneyOnline Safety

Microsoft Reveals Large-Scale BulletProofLink Phishing-as-a-Service Operation

Microsoft experts have reported that the BulletProofLink service (also known as BulletProftLink or Anthrax), which operates under a Phishing-as-a-Service (PHaaS) model, is responsible for many recent phishing campaigns targeting companies and organizations.

BulletProofLink was first discovered in October 2020 by OSINT Fans researchers, who published a series of articles detailing some of the mechanisms behind the PHaaS platform. According to Microsoft, the cybercriminals behind BulletProofLink offer a variety of subscription-based services to other criminals. These services range from selling phishing kits (collections of phishing pages and templates that mimic login forms of well-known companies) and email templates, to hosting and automated services.

Essentially, clients simply register on the BulletProofLink portal, pay a fee of $800, and the BulletProofLink operators handle the rest. The service includes:

  • Setting up a web page to host the phishing site
  • Installing the phishing template
  • Configuring the domain (URL) for the phishing sites
  • Sending phishing emails to victims
  • Collecting credentials obtained during these attacks
  • Delivering the stolen logins and passwords to “paying clients” at the end of the week

If a client wants to change their phishing templates, BulletProofLink operators have a separate store where criminals can purchase new templates for $80 to $100 each. Currently, the BulletProofLink store offers about 120 different templates, and the site also provides tutorials to help clients use the service.

Microsoft researchers also report that BulletProofLink operators are not above stealing from their own clients: the service keeps copies of all collected credentials, which are then sold on the dark web for additional profit.

Technical Sophistication and Scale

Microsoft describes BulletProofLink as a technically sophisticated operation. The service’s operators often use compromised websites to host their phishing pages. In some cases, BulletProofLink compromises DNS records of hacked sites to create subdomains for hosting phishing pages.

“While investigating phishing attacks, we discovered a campaign that used a large number of newly created and unique subdomains—over 300,000 at once,” Microsoft experts said, highlighting the scale of BulletProofLink’s operations.

Microsoft refers to this tactic as “endless subdomain abuse.” It allows attackers to create unique URLs for each phishing victim using just a single domain, either purchased or compromised specifically for attacks. Even worse, these unique URLs make it difficult to prevent and detect such attacks, as security solutions typically focus on exact domain and URL matches.

Leave a Reply