Security News > 2021 > September > Phishing-as-a-service operation uses double theft to boost profits
Microsoft says BulletProofLink, a large-scale phishing-as-a-service operation it spotted while investigating recent phishing attacks, is the driving force behind many phishing campaigns that have targeted many corporate organizations lately.
"With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today."
Of note, the large-scale phishing campaigns enabled by BulletProofLink also use a "Double theft," a method meant to boost the threat actor's profits much like the double extortion one used by ransomware gangs.
The double theft Microsoft refers to is a tactic where credentials stolen in phishing attacks are also sent to a secondary server controlled by PhaaS operators if the phish kits used in the campaign use their default configuration.
"This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell."
The threat actor has also observed using a technique Microsoft calls "Infinite subdomain abuse," making it possible for attackers to assign unique URLs for each phishing recipient while only using a single domain, compromised or bought before the attacks.