Microsoft recently released the results and analysis from its deep dive into BulletProofLink, a large-scale phishing-as-a-service (PHaaS) operation that follows a software-as-a-service (SaaS) business model. This model allows threat actors to purchase phishing kits and email templates in addition to hosting and automated services for a low monthly cost, enabling them to conduct phishing attacks with minimal effort.
Technical Detail & Additional Information
WHAT IS THE THREAT?
BulletProofLink, also referred to as BulletProftLink and Anthrax by its operators in various promotional materials, is used by numerous cyber threat groups for its phishing kits and email templates as well as low-cost subscription-based phishing services, including hosting and automation. This subscription-based model streamlines threat actors’ ability to conduct attacks. BulletProofLink is also known to proliferate the technique of “double theft”, a method in which stolen credentials are sent to both the PHaaS operator and the threat actor customer. Double theft results in monetization of credential theft on multiple fronts and exposes victims to potentially numerous instances of exploitation.
WHY IS IT NOTEWORTHY?
With over 300,000 subdomains and 100 available phishing templates that mimic popular brands and services, BulletProofLink is responsible for many of the phishing campaigns impacting organizations today. PHaaS differs from traditional phishing kits, which are sold in one-time transactions, in that it follows a SaaS model, providing subscription-based services that support attackers in site hosting, email delivery, and credential theft.
Phishing attacks are some of the most difficult threats against to protect against as even in organizations that deploy technical security measures, the success or failure of an attack can come down to an individual user’s security awareness. A single user with poor security awareness can compromise an entire organization filled of otherwise security-aware users by accidentally engaging with a phishing communication, leading to credential theft or malware being deployed in the organization’s environment. As PHaaS grow in prevalence, phishing attacks may become more common, leading to more opportunities for compromise.
WHAT IS THE EXPOSURE OR RISK?
Any organization that provides employees with email accounts and access to online resources may become subject to a phishing attack—this includes organizations with email protection, endpoint protection, domain restriction, and other technical security measures. A user without proper security awareness training is particularly susceptible to phishing attacks, exposing not only themselves to compromise, but their associates and their organization, too.
WHAT ARE THE RECOMMENDATIONS?
Technical security measures and user training both play an important part in protecting an organization from a successful phishing attack:
- Implement email protection in your organization’s email environment. An anti-phishing service can warn users of suspicious communications in their inbox and prevent them from interacting with content that has a high confidence of being malicious. Barracuda SKOUT Managed XDR offers this as an optional service.
- Maintain a culture of high user awareness. Technical solutions like email protection are only part of the equation in protecting your organization from successful phishing attacks. Users should be trained to notice the telltale signs of phishing, such as misspellings and grammatical errors in official-looking emails, links to strange domains, and requests for personal information from unknown senders. Regular security awareness training and reminders to be on the lookout for malicious communications can keep users alert to potential threats in their inbox.
- Consider investing in a phishing awareness training platform such as Barracuda PhishLine or KnowBe4. Phishing awareness training can help your organization assess and reduce its employees’ susceptibility to phishing attacks by providing continuous simulation and security training.
- For a more intense solution, restrict access to unauthorized domains and implement endpoint protection on work computers to prevent users from interacting with malicious content in phishing attempts. Though this an effective measure, users may still expose the organization to compromise if able to access work resources on their own unrestricted devices.
- Instruct employees to use unique credentials among their various accounts. In case of credential theft, having unique credentials will limit the extent of compromised accounts and necessary mitigation efforts required after a successful phishing attack.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.