Large-Scale Phishing-as-a-Service Operation Exposed

Discovery of BulletProofLink—which provides phishing kits, email templates, hosting and other tools—sheds light on how wannabe cybercriminals can get into the business.

By: Elizabeth Montalbano


Microsoft uncovered a large-scale, well-organization and sophisticated phishing-as-a-service (PhaaS) operation. The turnkey platform allows users to customize campaigns and develop their own phishing ploys so they can then use the PhaaS platform to help with phishing kits, email templates and hosting services needed to launch attacks.


Microsoft researchers discovered the operation, marketed by criminals as BulletProofLink, when they found a high volume of newly created and unique subdomains—more than 300,000 in a single run, according to a post published by the Microsoft 365 Defender Threat Intelligence Team.

“This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign,” researchers wrote.


With more than 100 available phishing templates that mimic known brands and services—including Microsoft itself–the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today, they said.


Phishing is a common way for cybercriminals to dupe people through socially-engineered emails into giving up their credentials to online accounts that can store sensitive data. Phishers use these emails—which sometimes fool people by impersonating a trusted company, application or institution–to direct people to specially crafted phishing sites so they can enter credentials, thinking they are doing so for a legitimate reason.


Phishing is often a gateway drug into other criminal activity; phishers sell credentials obtained through campaigns on the dark web, and they can be used by ransomware gangs as an entry point into networks to deliver ransomware attacks, among other nefarious activity.


Full-Scale Phishing Facilitator


BulletProofLink—also known as BulletProftLink or Anthrax by its operators in various websites, ads and other promotional materials–provides a starting point for people without significant resources to get into the phishing business.


The group has been active since 2018 and maintains multiple sites under aliases. The group leverages services such as YouTube and Vimeo offering instructional videos, advertisements and promotional materials. It is known to hawk their wares on a plethora of underground forums, researchers said.


While previously, criminals who wanted to launch these attacks had to build phishing emails and brand-impersonating websites on their own, “the phishing landscape has evolved its own service-based economy,” researchers said. Now attackers can just purchase all the resources and other infrastructure they need to launch phishing attacks without investing a lot of time or effort, researchers said.