The News: The Microsoft 365 Defender Threat Intelligence Team issued a warning this week on a large-scale phishing-as-a-service operation discovered as they were researching phishing attacks. The Microsoft 365 Defender Intelligence team found that the BulletProofLink operation is responsible for many of the phishing attacks that hit enterprises today, using a large number of newly-created subdomains. Read the full announcement from Microsoft.
Microsoft Issues Warning on Large Scale Phishing-as-a-Service Operation
Analyst Take: Microsoft’s warning about a large-scale phishing-as-a-service operation is actually pretty exciting. It means security teams and the technology and tactics they are using, the research they do, and the rabbit holes it leads them down — well, it works.
In this instance, Microsoft’s 365 Defender Intelligence team discovered BulletProofLink (also known as BulletProfitLink and/orAnthrax), a service designed to make phishing even easier for threat actors, and conveniently being advertised in underground cybercrime forums. BulletProofLink sells phishing kits, email templates, hosting, and automated services and makes it super easy for hackers to launch and manage every aspect of phishing campaigns.
Microsoft researchers also found that the BulletProofLink scam offered login pages to popular apps and websites including Microsoft OneDrive, LinkedIn, Adobe, AT&T, Dropbox and Google Docs. Someone with a small budget could easily deploy a fake email and gain access to business and personal information that could be sold on the dark web.
As I mentioned, I think this discovery of such a large-scale phishing-as-a-service operation is a big victory for the cybersecurity community and the sharing of this find by Microsoft benefits everyone. Microsoft’s Defender Threat Intelligence team’s research on the BulletProofLink operation will allow them (and others) to learn more about phishing-as-a-service and to expose how easy it is for threat actors to purchase campaigns and deploy them. With this new information, organizations can build on the findings to enhance email filtering rules and threat detection technologies — things that constantly need improvement for ensure protection.
Phishing-as-a-Service is a New Frontier
Email-based threats are constantly evolving as cyber criminals get more sophisticated with the tools that they use. In the past, threat actors would have to build individual emails and websites, but these small one-off approaches have all but disappeared as a new service-based cybercrime economy has emerged.
Phish kits are a one-time purchase that come with ready-to-use templates for emails and websites. Attackers can site up websites and evade detection easily with these options. While phishing kits are nothing new, phishing-as-a-service makes it even easier for criminals to facilitate attacks on unsuspecting businesses. Hackers make these services available for purchase on a weekly, bi-weekly, monthly, or annual subscription.
Protecting Against Phishing Attacks
Today, falling victim to a cyberattack is generally not a matter of if it will happen, but more a matter of when it will happen. Phishing campaigns are incredibly popular, and with good reason — they are low hanging fruit. Tricking unsuspecting employees, or any recipient of an email, into providing information that ultimately allows threat actors to gain access to the organization is relatively easy. That’s why it’s important to add layers of protection against phishing schemes, including enabling mailbox intelligence settings, developing phishing awareness training campaigns, regularly testing the organization along the way, and doing research like what the team at Microsoft did, which are all key to better protecting the organization.
On the cybersecurity front as a whole, it’s good to see positive news. Not that phishing attacks made easy by these offerings haven’t already been perpetrated or are in motion are a good thing, but knowing that phishing-as-a-service offerings exist and are out in the wild in full force will hopefully inspire cybersecurity pros within organizations to redouble their efforts at education and awareness, testing, and taking steps to fine-tune their security operations strategy even more. Microsoft sharing the deets about this discovery with the community as a whole benefits everyone.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.