HomesecurityHow phishing-as-a-service is a threat to organizations

How phishing-as-a-service is a threat to organizations

Just as many legitimate businesses outsource functions and services, so do criminals in cyberspace. Cybercrime as a service includes malware, ransomware and even phishing campaigns. A Microsoft blog post posted on Tuesday examines a specific business phishing-as-a-service and the risk it poses to organizations.


See also: Microsoft: Delete passwords in Windows 10 immediately

By name BulletProofLink, this criminal business sells fishing kits, email templates, hosting facilities and automated services at relatively low cost, according to Microsoft.

Also known as BulletProftLink and Anthrax, this large-scale business is the culprit behind many of today's phishing campaigns with more than 100 models posing as well-known brands and services. Different cyber criminals use BulletProofLink to conduct monthly paid attacks, resulting in a constant source of revenue for the operator.

With this type of phishing-as-a-service (PhaaS) business, attackers pay an operator to deploy parts of a campaign or the entire campaign. The package includes elements such as fake login pages, website hosting and analysis and redistribution of credentials. The PhaaS business model contrasts with criminals who simply sell e-fishing kits with emails and site templates for a one-time fee.

See also: Microsoft: Beware of this "insidious" phishing attack

Active since 2018, BulletProofLink promotes its services on its page, promoting unique fraud pages, monthly subscriptions and a reputable brand. Using the names BulletProftLink, BulletProofLink and Anthrax alternately, the company also hosts YouTube and Vimeo pages with educational ads. An online store allows customers to sign up, log in and promote their hosting service. The subscription service can cost attackers up to $ 800, while a one-time hosting link costs around $ 50.


The phishing-as-a-service model as used by BulletProofLink uses one type of double blackmail strategy. Fishing kits include a second location where stolen credentials are sent. As long as the attacker does not change the code, this means that BulletProofLink also receives each set of credentials, allowing it to retain complete control.

See also: Microsoft Exchange Autodiscover: Bugs leak Windows credentials

How can companies and organizations combat such phishing attacks?

Adjust security policies against phishing by configuring impersonation settings for specific messages and sender domains, Microsoft advises. In addition, they can enable SafeLinks to scan for malicious links on delivery and when they click.

Organizations must also take email phishing seriously to protect themselves from malicious cyber groups. This means that they need to train employees to detect and report phishing messages and require unique, complex passwords in all areas.

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement