wordpress blog stats
Connect with us

Hi, what are you looking for?

Microsoft warns users of a sophisticated PhaaS operation. Here’s what we know about it

The business reportedly offers phishing attacks as a service, complete with subscriber newsletters and customer support.

BulletProofLink, a large-scale phishing-as-a-service (PhaaS) operation, offers over 100 phishing templates that imitate known brands and services, Microsoft revealed in its blog. Microsoft was one of the brands whose logo and branding were impersonated during the phishing campaign initiated using BulletProofLink. The operation sells phishing kits, email templates, hosting, and automated services at an affordable cost and is responsible for facilitating many phishing campaigns these days, the blog added. 

The PhaaS was found to be the weapon of choice by multiple attacker groups who can buy it in either one-off purchase or pay a subscription fee every month to avail its services, the company added. 

Cyber attacks are growing with each passing day, especially during the pandemic as COVID-19 lockdowns force a rapid adoption of digital tech.  Phishing is a cyber attack that uses disguised email as a weapon and is notoriously difficult to sniff out, given its sophistication. Phishing attacks have increased by 600% during the pandemic. The consequences can be damaging in most cases as it results in violation of privacy and inflicts steep financial stress on people as well as businesses. 

How does BulletProofLink operate? 

The BulletProofLink PhaaS group became active in 2018 and operates under multiple aliases like BulletProftLink, BulletProofLink, and Anthrax. It also has instructional advertisements on YouTube and Vimeo, Microsoft revealed in its post. 

  • BulletProofLink registration and sign-in pages: The service hosts an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions. The group provides a 10% welcome discount on orders when customers subscribe to their newsletter, as per the post.
  • Phishing templates: Operators offer over 100 templates developed to evade detection while successfully phishing for victims’ credentials, the blog said. Phishing campaigns initiated on these templates do not look identical. 
  • Customer hosting and support: The group’s operators provide a variety of services for a fee. The monthly service costs about $800, and Bitcoin is accepted as a payment method on the site. New and existing customers can interact with the group on Skype, ICQ, forums, and chat rooms for customer support services.

Difference between phishing kits and PhaaS

The blog explained that the phishing landscape has evolved into a service-based economy as compared to building phishing emails and brand-impersonating websites in the past. Now, criminals can simply initiate an attack by purchasing resources and infrastructure from groups such as BulletProofLink:

  • Phish kits: These kits are sold on a one-time sale basis. They are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names, Microsoft stated. 
  • Phishing-as-a-service: It is akin to ransomware-as-a-service (RaaS), in which attackers pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. 

Double theft model

The PhaaS working model copies the RaaS model insofar as it involves double extortion. The extortion method used in ransomware follows the pattern of posting data publicly in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom, Microsoft explained. 

It is easy for PhaaS operators to include a secondary location to receive login credentials. This maximises monetisation of stolen data and credentials, and posts victims’ credentials on the dark web leaving them susceptible to more attacks.

Advertisement. Scroll to continue reading.

Mitigation measures

  • The company advised that users must have antivirus software installed on their devices.
  • Organisations must use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. 
  • Users must enable multi-factor authentication and block sign-in attempts from legacy authentication.

Phishing attacks in India

As many as 83 percent of Indian organisations surveyed reported an increase in phishing attacks via emails during the pandemic according to a report by UK-based cybersecurity firm Sophos.

February 2021: Hindustan Times reported that a number of senior government officials, including those from the ministries of defence and external affairs, were targetted in a phishing campaign with attackers using compromised government domain email accounts to launch their hacking attempts. The National Informatics Centre (NIC) issued an alert soon after the attack but there was no confirmation whether any targetted computers were compromised.

March 2021: A response to a parliamentary question revealed that CERT-In, India’s nodal cyber security agency, was working with the Reserve Bank of India (RBI) and other banks to track and disable phishing websites in an effort to thwart online frauds.

July 2021: Researchers at Seqrite, the cybersecurity arm of Quick Heal Technologies, claimed that they found sophisticated phishing attempts targetting Indian critical infrastructure PSUs across sectors of finance, power, and telecom by a Pakistan-linked group. The PSUs were targetted to get access to sensitive information “including screenshots, keystrokes, & files from the affected system”.

July 2021: Kaspersky Internet Security found that India was among the top three countries facing phishing attacks primarily via instant mobile messaging apps like Facebook-owned WhatsApp and Telegram. Countries experiencing the highest number of phishing attacks were Russia (46 percent), Brazil (15 percent), and India (7 percent).

August 2021: CERT-In warned that scammers were targetting banking customers in India with a new type of phishing attack to collect sensitive information such as internet banking credentials, mobile numbers, and OTP to carry out fraudulent transactions. It said that the malicious activity was carried out using the ngrok platform (cross-platform application).

September 2021: Indian taxpayers were targeted with Elibomi, an Android malware, which stole their financial information in a phishing attack, according to McAfee’s Mobile Research team. The antivirus company disclosed that the attackers lure in unsuspecting users by pretending to be a fake tax-filing application.

Advertisement. Scroll to continue reading.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ