Phishing - PhaaS

9613836687?profile=RESIZE_400xLast week Microsoft Security issued a detailed report on a massive phishing-as-a-service operation named BulletProofLink that offered as a subscription and all the tools needed to conduct a campaign.  The phishing-as-a-service, or PHaaS, model differs from the phishing kits that many gangs have used in that it is more expansive and handles many of the small details that could befuddle a less tech-savvy attacker.

"It's worth noting that some PhaaS groups may offer the whole deal - from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele," says the Microsoft 365 Defender Threat Intelligence Team.  The breadth of services offered is the primary differentiator between kits and the subscription model.


Figure 1. Feature comparison between phishing kits and phishing-as-a-service (Source: Microsoft)

"At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers.

BulletProofLink has been operating since 2018 under various names, including BulletProftLink and Anthrax, and maintains instructional sites on YouTube and Vimeo, Microsoft says. The gang operates as a legitimate business, offering chat support and even a 10% discount for new customers.

"BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions," Microsoft says.  BulletProofLink offers clients more than 100 email templates from which to choose that sport well-known logos and brands for social engineering purposes, according to Microsoft. It says "clients" buy the pages, ship the emails and are in charge of collecting the stolen credentials, using either their landing pages or those provided by BulletProofLink.  "The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party," Microsoft says.[1]

The PHaaS provider makes sure each campaign has a different appearance but, Microsoft notes, the code, PHP password processing sites and the hosting infrastructure all correlate back to BulletProofLink.  BulletProofLink offers a menu of services, all with a corresponding fee , and a monthly service subscription can cost $800, Microsoft says.  Other services cost about $50 for a one-time hosting link, it adds.  Bitcoin is a common payment method accepted on the BulletProofLink site, and client communication is handled generally through Skype, ICQ, forums and chat rooms.

Microsoft was able to dive deeply into BulletProofLink after it stumbled across a campaign while investigating a phishing attack.  The campaign Microsoft studied was notable, the company says, because it used more than 300,000 subdomains, a key indicator that a BulletProofLink phishing kit was in use.  "An interesting aspect of the campaign that drew our attention was its use of a technique we call 'infinite subdomain abuse,' which happens when attackers compromise a website's DNS or when a compromised site is configured with a DNS that allows wildcard subdomains," Microsoft says.  "Infinite subdomains allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end."

Microsoft says this technique is gaining favor among phishing attackers because:

  • It eliminates the need for an attacker to obtain large sets of single-use domains;
  • It allows phishing operators to maximize the unique domains they can use by configuring dynamically generated subdomains as a prefix to the base domain for each individual email;
  • The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.

Microsoft also uncovered that BullletProofLink often steals from its clients by adding code to the phishing kit sold or leased that sends the stolen credentials to a secondary location that it, and not the client, controls.  BulletProofLink can then resell the links stolen by their client to gangs looking to conduct ransomware or other attacks where credentials are needed for initial access. 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or


Weekly Cyber Intelligence Briefings:



Weekly Cyber Intelligence Briefings:


REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!