Microsoft security team detects major phishing-as-a-service operation

23 Sep 2021

Image: © magann/

An investigation by Microsoft’s security team unearthed a large-scale phishing-as-a-service operation.

Microsoft’s security team has detected a large-scale operation that provides built-in hosting and email-sending phishing services to cybercriminals via a portal called BulletProofLink.

The underground service builds on the idea of phishing kits, which are sold on a one-time basis as collections of email phishing templates imitating legitimate companies or designed to evade detection.

The phishing-as-a-service operation, which is also sometimes referred to as BulletProftLink and Anthrax, involves cybercriminals paying an operator to develop and deploy phishing campaigns. According to Microsoft researchers, the monthly service costs as much as $800.

Once a fee is paid, the operator can set up a web page to host a phishing site, install a phishing template on the site, configure the domain, send emails to victims, collect credentials from attacks and deliver the stolen details to the criminals.

The service even provides customers with tutorials on how to perfect their phishing scams. It has more than 100 phishing templates available that mimic legitimate brands and services.

Microsoft’s security team also found that phishing-as-a-service operations can double-cross their own criminal customers. Stolen credentials can be sent to both the operator and its clients, resulting in a “double theft”.

According to a blogpost published by the Microsoft team this week, the BulletProofLink operation “is responsible for many of the phishing campaigns that impact enterprises today”.

It added that the service is being used “by multiple attacker groups in either one-off or monthly subscription-based models”, creating a steady revenue stream for its operators.

Microsoft said it was making an effort to protect its customers from cybercrimes such as phishing.

“As part of our commitment to improve protection for all, we are sharing these findings so the broader community can build on them and use them to enhance email filtering rules as well as threat detection technologies like sandboxes to better catch these threats,” the blogpost continued.

It said that Microsoft 365 Defender now recognises and can defend against the BulletProofLink phishing campaigns.

Cybercrime and phishing attacks have increased since the pandemic began, with cybercriminals preying on people’s fears around Covid-19 and taking advantage of the vulnerability of companies that suddenly shifted to remote working.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Blathnaid O’Dea is Careers reporter at Silicon Republic