Microsoft 365 Defender Threat Intelligence Team highlights the rise of a PhaaS (Phishing-as-a-Service) operation, dubbed BulletProofLink, which acts as the portal for the cybercrime underground.

In their research, the Microsoft team uncovered a large-scale operation that enables threat actors to easily carry out malicious campaigns. In one high-level campaign over 300,000 unique subdomains were created in a single run. 300,000 in a single run.

BulletProofLink has been active since 2018, and used by multiple threat actors being used in either one-off or monthly subscription-based Phishing business models.

Phishing is the term used to describe the sending of emails by criminals that look deceptively similar to legitimate emails from real companies. The emails contain links to similarly, more or less, well-made fakes of the respective company website, which ask the victim to enter their login data – these are then promptly forwarded to the criminals. This gives hackers access to all sorts of online accounts. This access can be used for criminal activities or the access data is sold.

BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost. With a PhaaS service starting at as low as £580 pm or a single-use kit costing around 35 pounds!

This comprehensive research into BulletProofLink sheds a light on the extent and complexity of phishing-as-a-service operations, and we urge you to read the full article so you can understand how prolific this type of cyber-security attack is.

Insights into phishing-as-a-service operations, their infrastructure, and their evolution inform protections against phishing campaigns. The knowledge gained during Microsoft’s investigation ensures that Microsoft Defender for Office 365 protects customers from the campaigns that the BulletProofLink operation enables.