Microsoft Warns of Large-Scale “BulletProofLink” Phishing-as-a-Service Operation

Microsoft issued an advisory into a new phishing campaign that employs a high volume of newly created and unique subdomains, noting that in one case it observed more than 300,000 in a single run.

The “BulletProofLink” large-scale phishing-as-a-service operation sells phishing kits, email templates, hosting and automated services. The service – which is alternately known as “BulletProftLink” or “Anthrax” – offers more than 100 phishing templates that are designed to “mimic known brands and services.” Microsoft noted that the activity is responsible for many phishing campaign attacks, and also  revealed that its research indicates it drove the proliferation of popular techniques such as “double theft,” which sends stolen credentials to the Phishing-as-a-Service actor, as well as its customer.

BulletProofLink, it was noted, continues to operate active phishing campaigns, with large volumes of redirections to its password-processing links from legitimate web hosting providers.

Potential remediation options include:

  • Employing Microsoft Defender for Office 365, which employs machine learning, heuristics and advanced detonation technology.
  • Building resilience against phishing attacks by drafting anti-phishing policies and mailbox intelligence settings.
  • Securing the Azure AD identity infrastructure.
  • Promoting multi-factor authentication and blocking sign-in attempts from legacy authentication.

Additional information is available via the Microsoft Security blog report compiled by its 365 Defender Threat Intelligence Team.