Microsoft found a Phishing-as-a-Service (PhaaS) business that is responsible for a large number of corporate phishing attacks. The PhaaS concept has lowered the bar for quality phishing attempts even further.

BulletProofLink (or Anthrax) is the name of the operation, and its services include selling phish email templates and kits via a monthly subscription or single payment-based business model. In addition, the group provides credential theft, hosting services, and email delivery services. Anthrax also claims to provide Fully Undetected (FUD) connections. Microsoft identified the service after discovering a campaign that employed 300,000 freshly formed and unique subdomains in a single run.

These companies are a source of consternation because they offer a plethora of templates (120 as of now) that replicate the login pages of prominent websites. They also make it possible for anyone with money to go straight to extortion or theft. Furthermore, the PhaaS business model may encourage double theft, in which the service provider steals credentials and sells them to clients.

Also read,

Abuse of innumerable subdomains:

  • This technique allows attackers to assign unique URLs to each phishing recipient by exploiting a single domain that was either purchased prior to the assault or compromised.
  • When threat actors can infect a website’s DNS, they exploit infinite subdomain abuse.
  • The method has gained popularity since it decreases the amount of effort necessary in a phishing campaign while boosting the number of distinct domains that can be launched at any time.
  • In addition to the foregoing, unique URLs provide significant issues for detection and mitigation methods that rely heavily on precise matching URLs.

BulletProofLink is actively engaged in phishing campaigns. This necessitates the implementation of anti-phishing rules, as advised by Microsoft. Remember that because attackers can utilize PhaaS to deploy ransomware on compromised networks, it has the potential to become a stepping stone to success for any ransomware gang.