Massive Phishing-as-a-Service Campaign Revealed by Microsoft Security Researchers

On Tuesday, Microsoft’s security researchers published a report detailing a massive phishing-as-a-service campaign known as BulletProofLink. Phishing-as-a-Service offerings, or phishing kits, arm even the most novice threat actors with sophisticated platforms to launch widespread phishing campaigns with little more than a computer and a few hundred dollars. Researchers at Microsoft discovered this operation while investigating a separate phishing operation. They noted that the “interesting aspect of the campaign that drew our attention was its use of a technique we call ‘infinite subdomain abuse’, which…allows attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end.” Access Microsoft for the complete analysis or read an overview at TheRecord.