300,000 Subdomains gets exploited by a newly discovered Phishing-as-a-Service Scam

300k Subdomains exploited Phishing-as-a-Service Scam phishing attack

Microsoft reported a newly found Phishing-as-a-Service operation last Tuesday, which has used a high-volume 300,000 distinct and newly created subdomains that are operated in a single run. According to the tech giant, they discovered the campaign amid their research about phishing attacks triggered by the phishing-as-a-service operation named BulletProofLink. The procedure is reported to be offering low-cost domain hosting, email templates, phishing kits, and some other automated services. The standards in quality phishing attacks have undeniably been reduced by this model. 



The BulletProofLink is a phishing-as-a-service operation known for supporting most phishing campaigns in many businesses and industries. Also referred to as BulletProftLink or Anthrax, BulletProofLink has been utilized by many threat actors and hacking groups to conduct cybercrimes and has generated a profitable income stream. Aside from its low-cost domain hosting, email templates, phishing kits, and automated services, BulletProofLink also offers Fully Undetected or FUD links. 

The attack works by how the threat actors rely on the infected links and web pages sent to the targets through the phishing scam. Then, the hackers will be installing malicious software into the compromised system to begin stealing the victim’s highly sensitive information. 

Additionally, this phishing attack is unique in the sense that even if the hackers are not able to gain direct access to the victim’s system, they can still proceed with the operation. 


Infinite Subdomain Abuse 

The aspect that has caught Microsoft’s attention throughout their investigations is how the campaign uses a technique they named “infinite subdomain abuse”. According to the company’s cybersecurity researchers, infinite subdomain abuse happens when the DNS of a website gets compromised or attacked. The technique permits the threat actor to operate on a unique URL for each recipient even if they only configured one domain in a week. 


This technique has gained popularity with threat actors because it introduces them to a brand-new way of executing phishing attacks.


Previously, the only available methods for them consisted of acquiring big sets of single-use domains only. But with the use of infinite subdomains, the threat actors need only to configure a site’s DNS without compromising the site itself. 

Moreover, the technique allows the threat actors to take full advantage of the unique domains available for use by configuring all the generated subdomains as a prefix to the base domain of each target email.  Unique URL creation also makes it difficult for authorities to detect and mitigate the attacks since the detection process depends on the precise matching of URLs and domains. 


Microsoft advises organizations to improve their security 

As new phishing-as-a-service campaigns actively operate, organizations are highly advised to expand their threat protection within their group. In establishing resilient protection against these threats, Microsoft recommends using anti-phishing policies to empower mailbox intelligence settings and configure impersonation protection settings for particular email messages and domain senders. 

About the author


Leave a Reply