---
title: "Threat Actors Have Started Using Phishing-as-a-Service (PhaaS) &#8211; Here Is Everything You Need To Know! | Phish Protection"
description: "Threat Actors Have Started Using Phishing-as-a-Service (PhaaS) &#38;#8211; Here Is Everything You Need To Know!: Less than a month ago, Microsoft exposed a."
image: "https://phishprotection.com/og/blog/threat-actors-using-phishing-as-a-service-phaas.png"
canonical: "https://phishprotection.com/blog/threat-actors-using-phishing-as-a-service-phaas/"
---

Quick Answer

Less than a month ago, Microsoft exposed a well-organized operation that provides a one-of-a-kind, DIY \*\*phishing-as-a-service\*\* (PhaaS) product to malicious actors. This product includes phishing kits, hosting services, and templates to create and develop customized \[phishing campaigns\](/blog/threat-actors-advantage-fintech-platforms-launch-phishing-campaigns/). This ‘\[BulletProofLink\](https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/)’ (also referred to as BulletProftLink) operation was \[first discovered\](https://osint.fans/bulletproftlink-phishing-service-p1) in 2020, yet it continues today.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-phishing-as-a-service-phaas%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Threat%20Actors%20Have%20Started%20Using%20Phishing-as-a-Service%20%28PhaaS%29%20%26%238211%3B%20Here%20Is%20Everything%20You%20Need%20To%20Know!&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-phishing-as-a-service-phaas%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-phishing-as-a-service-phaas%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-phishing-as-a-service-phaas%2F&title=Threat%20Actors%20Have%20Started%20Using%20Phishing-as-a-Service%20%28PhaaS%29%20%26%238211%3B%20Here%20Is%20Everything%20You%20Need%20To%20Know! "Share on Reddit") [ ](mailto:?subject=Threat%20Actors%20Have%20Started%20Using%20Phishing-as-a-Service%20%28PhaaS%29%20%26%238211%3B%20Here%20Is%20Everything%20You%20Need%20To%20Know!&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-phishing-as-a-service-phaas%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2021/10/phishing-prevention-8716.jpg) 

Less than a month ago, Microsoft exposed a well-organized operation that provides a one-of-a-kind, DIY **phishing-as-a-service** (PhaaS) product to malicious actors. This product includes phishing kits, hosting services, and templates to create and develop customized [phishing campaigns](/blog/threat-actors-advantage-fintech-platforms-launch-phishing-campaigns/). This ‘[BulletProofLink](https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/)’ (also referred to as BulletProftLink) operation was [first discovered](https://osint.fans/bulletproftlink-phishing-service-p1) in 2020, yet it continues today.

Microsoft discovered this highly criminal operation during an investigation on **phishing campaigns**. Malicious actors have hit gold with this product as it makes phishing campaigns lucrative and easy to launch. _BulletProofLink has been active since 2018_.

The below graph shows **phishing activity** in 2020\. It indicates that phishing sites doubled during the year. It also depicts the rising trend of **phishing sites**, which is proportional to phishing attempts. This trend is alarming, as [phishing attacks](/blog/deal-with-recent-trends-in-spear-phishing-attacks/) become easier to launch and widespread with such dedicated organizations for cybercrime.

### What is Phishing-as-a-Service, and Why Should It Be Alarming For Cybersecurity?

_Carrying out cyberattacks requires technical expertise and knowledge_. Threat actors develop their attack from scratch, coding to hosting to selling the compromised data. _The development of a cyberattack is a challenging and laborious_ one that includes:

- **_Designing the attack:_** This step would include identifying the targets, deciding on the **spoofing and phishing** details, and figuring out further possibilities with the compromised data.
- **_Designing the **phishing email:_** This step would include preparing the email along with malicious attachments or links. It would also involve hosting servers.
- **\_Designing the spoof website: \_**As phishing would require the victim to reveal information, _spoofing would often be used to create a fake website to lure the victim into revealing sensitive information_.
- **_Launching the attack and collecting data:_** The final step would be collecting data and either compromise an organization’s digital assets or sell the data to other malicious actors.

However, _PhaaS eliminated the above steps to make life easier for their consumers_, i.e., adversaries, opening doors to a world of large-scale disruption.

### How Does Phishing-as-a-Service Work?

_Phishing-as-a-service (PhaaS) includes a range of products from single toolkits to orchestrated campaigns_. Full-fledged campaigns are used for a fully developed **PhaaS attack**. The recently reported phishing services organization offers PhaaS as a subscription model rather than a one-time payment product.

Malicious actors can quickly launch phishing campaigns when the required tools and assistance are readily available from the PhaaS organization. These tools, designed to escape detection, have higher success rates. Most phishing kits contain at least one evasive [phishing technique](/content/phishing-techniques/).

These PhaaS offerings include evasion measures, such as:

- **_SSL certificate_\*\*\*\*\_s: \_**Most phishing sites use digital certificates to prove authenticity and go undetected.
- **\_Content encryption: \_**Content is encrypted, thus making it readable only to people with a decryption key.
- **\_Content injection: \_**Security vulnerabilities of a legitimate website are exploited to modify its actual content.
- **\_HTML encoding: \_**HTML encoding prevents security crawlers from detecting the keywords usually found on malicious sites.
- **\_Inspection blocking: \_**Inspection blocking prevents security systems, bots, analysts, and security crawlers from searching for phishing sites.
- \_**Cloud hosting:** \_It is a tactic to present phishing sites as legitimate domains by hosting them on reputed cloud services like [cloudways](https://www.cloudways.com/en/).
- **_URLs in attachments:_** It’s a common evasive practice of including URLs in the attachment rather than the email body.

With every successful phishing campaign, more products are sold. The threat actors find suitable targets, design the campaign, and launch the PhaaS model efficiently.

### Cyberthreat That Cannot Be Stopped

Microsoft detected and exposed the BulletProofLink PhaaS operation owing to the high activity of the malicious organization. _It also reported that it used over 300,000 unique subdomains in a single run_. The high number of subdomains enables threat actors to send separate links to each victim, rendering **email security services** unable to intercept such scams.

![Phishing prevention](https://media.mailhop.org/phishprotection/images/2021/10/phishing-prevention-8716.jpg) 

Even as Microsoft unearthed this operation, BulletProofLink is unaffected and continues to operate to date. The fact that it is unaffected explains the indestructible and solid criminal infrastructure. Even if one detects their presence and understands how such organizations work, it is difficult to disrupt their activities. On the other hand, it is easy for malicious actors to carry out [phishing attacks](/blog/machine-learning-helps-fighting-phishing-attacks/) without any experience through phishing-as-a-service platforms.

### What Can Organizations Do to Combat Such Types of Phishing Attacks

_Threat actors constantly use phishing emails to steal sensitive information_. Businesses are a prime target of theirs. Therefore, enterprises and organizations should incorporate robust [anti-phishing solutions](/) and [anti-ransomware solutions](/products/malware-and-ransomware-protection/). Here are some critical points that organizations should consider to avoid falling victim to **phishing attacks**.

- **_Do not revert to emails requesting personal informati_\*\*\*\*_on:_** Phishing emails generally include subjects that create a sense of urgency. Individuals should never fall for such tricks and respond to such emails, even if it seems authentic. Such prudent practices will help email [phishing protection](/).
- **_Avoid clicking on links in suspicious emails:_** Phishing emails also include URLs that direct the recipient to a page to enter personal or confidential information. These pages are designed to look legitimate and trustworthy. However, the recipient should entirely refrain from clicking on such links for **email phishing protection**.
- **_Protect information assets and networks:_** Organizations and administrators should use adequate anti-spyware and firewall protection to thwart phishing attacks. They should use anti-malware and heuristics to create multiple security layers.
- **_Train employees:_** _[Employee training](/products/phishing-awareness-training/) is one of the best **phishing protection** mechanisms_ and perhaps the most underrated. Regular employee **training and awareness** drives help organizations protect their system from within.
![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2021/10/phishing-prevention-tips-7186.jpg) 

### Final Words

_[A study](https://www.statista.com/statistics/266155/number-of-phishing-domain-names-worldwide/) reports that the number of unique phishing sites quadrupled in Q3 of 2020_, compared to the previous quarter. With such a high growth rate of phishing sites, proper detection and prevention mechanisms are paramount for email [phishing protection](/). PhaaS has demonstrated that phishing activities today are carried out effortlessly, and hence, the number of organizations falling prey to such attacks will rise. Businesses should educate themselves and their employees about the latest cybersecurity risks lurking in cyberspace and _deploy the best email protection practices to mitigate those risks_.

## Topics

[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 14m  12 Real-World Spear Phishing Examples And The Red Flags You Missed  Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[  Foundational 2m  8 million Android users fell prey to SpyLoan malware on Google Play Store  Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[  Foundational 1m  A Big Part of the Phishing Problem is You  Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors Have Started Using Phishing-as-a-Service (PhaaS) &#8211; Here Is Everything You Need To Know!","description":"Threat Actors Have Started Using Phishing-as-a-Service (PhaaS) &#8211; Here Is Everything You Need To Know!: Less than a month ago, Microsoft exposed a.","url":"https://phishprotection.com/blog/threat-actors-using-phishing-as-a-service-phaas/","datePublished":"2021-10-14T08:25:14.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2021-10-14T08:25:14.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/threat-actors-using-phishing-as-a-service-phaas/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":1016,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2021/10/phishing-prevention-8716.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Threat Actors Have Started Using Phishing-as-a-Service (PhaaS) &#8211; Here Is Everything You Need To Know!","item":"https://phishprotection.com/blog/threat-actors-using-phishing-as-a-service-phaas/"}]}
```