Microsoft Unearths Large-Scale Phishing Operation Involving 300,000 Subdomains

  • Microsoft has dug deep into ‘BulletProofLink’, after seeing one of their clients using hundreds of thousands of subdomains.
  • The service is a premium one covering all aspects of phishing operations and ensuring maximum effectiveness.
  • The platform is keeping the stolen credentials for itself and then sells them on the dark web for additional profit.

Microsoft's investigators have discovered a massive phishing campaign featuring 300,000 unique subdomains and over a hundred phishing templates made to mimic known brands and services. Soon, the researchers realized that this was actually part of a “phishing-as-a-service” (PhaaS) operation called ‘BulletProofLink’ (aka ‘Anthrax’), used by a large number of crooks who love the convenience of buying pre-fabricated kits and getting right to work. Even when needing to scale up to ludicrous levels, BulletProofLink can accommodate the need, creating behemoths like the one that Microsoft caught in the wild.

Source: Microsoft

PhaaS is offered via a subscription model, so actors can buy themselves weekly, monthly, or even annual memberships. The program offers email templates to use in phishing messages, site templates for the landing webpages, email delivery tools for mass distribution, site hosting services, and even credential theft and redistribution. Of course, all of the above can be purchased individually, but this is the comfort of subscribing to a PhaaS. In the case of ‘BulletProofLink,’ we also have “FUD” (fully undetectable) links, meaning that email protection tools won’t catch the threat.

One trick used by the platform in order to evade detection from security tools is the “zero-point font” technique which renders characters that are invisible to the user. This is an effective obfuscation method that we analyzed last August, so make sure to look into that post if you’re interested in going deeper.

Source: Microsoft

According to Microsoft, ‘BulletProofLink’ has been around since at least 2018, operating multiple sites as well as social media channels where they post phishing tutorials and various promotional materials. New subscribers are offered a 10% discount as a welcoming gesture, and there’s also chat support for those who need real-time help or advice. Additional themes and templates are sold separately, and there’s a galore of items to choose from. The full package may cost as much as $800 per month, putting ‘BulletProofLink’ in a premium category as most other RhaaS services cost about $50/month.

Source: Microsoft

It is notable that in the case of the particular PhaaS platform, researchers spotted the “double exploitation” of the stolen credentials, which is deployed by ‘BulletProofLink’ operators to maximize their profits. The credentials that are stolen during an actor’s phishing campaign remain under the control of the kit vendor, who then resells them on the dark web.

Shanghai Masters 2023 Live Stream: How to Watch Tennis Online from Anywhere
The 2023 ATP Tour continues this week with one of the most prestigious events of the year set to take place. The...
How to Watch Forged in Fire Season 10 Online from Anywhere
Forged in Fire is an exciting competition show where world-class bladesmiths re-create historical weapons. The show will be available in the US...
How to Watch SurrealEstate Season 2 Online from Anywhere
Did a ghost spook away potential homebuyers from your charming 2LDK? Or perhaps a terrifying encounter with a werewolf in the basement...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari