New Blog Post | Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

%3CLINGO-SUB%20id%3D%22lingo-sub-2771413%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Catching%20the%20big%20fish%3A%20Analyzing%20a%20large-scale%20phishing-as-a-service%20operation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2771413%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig7_BPL_Docusign-1024x652.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311850i894BD5552EE14E0F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Fig7_BPL_Docusign-1024x652.png%22%20alt%3D%22Fig7_BPL_Docusign-1024x652.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F09%2F21%2Fcatching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECatching%20the%20big%20fish%3A%20Analyzing%20a%20large-scale%20phishing-as-a-service%20operation%20%7C%20Microsoft%20Security%20Blog%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EIn%20researching%20phishing%20attacks%2C%20we%20came%20across%20a%20campaign%20that%20used%20a%20rather%20high%20volume%20of%20newly%20created%20and%20unique%20subdomains%E2%80%94%3CWBR%20%2F%3Eover%20300%2C000%20in%20a%20single%20run.%20This%20investigation%20led%20us%20down%20a%20rabbit%20hole%20as%20we%20unearthed%20one%20of%20the%20operations%20that%20enabled%20the%20campaign%3A%20a%20large-scale%20phishing-as-a-service%20operation%20called%20BulletProofLink%2C%20which%20sells%20phishing%20kits%2C%20email%20templates%2C%20hosting%2C%20and%20automated%20services%20at%20a%20relatively%20low%20cost.%3C%2FP%3E%0A%3CP%3EWith%20over%20100%20available%20phishing%20templates%20that%20mimic%20known%20brands%20and%20services%2C%20the%20BulletProofLink%20operation%20is%20responsible%20for%20many%20of%20the%20phishing%20campaigns%20that%20impact%20enterprises%20today.%20BulletProofLink%20(also%20referred%20to%20as%20BulletProftLink%20or%20Anthrax%20by%20its%20operators%20in%20various%20websites%2C%20ads%2C%20and%20other%20promotional%20materials)%20is%20used%20by%20multiple%20attacker%20groups%20in%20either%20one-off%20or%20monthly%20subscription-based%20business%20models%2C%20creating%20a%20steady%20revenue%20stream%20for%20its%20operators.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2771413%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivacy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Fig7_BPL_Docusign-1024x652.png

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation | Microsoft Security ...

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.

0 Replies