Phishing kits as a service (attacks for sale!)

Microsoft researchers uncovered a large operation using phishing kits to send millions of emails a day with malicious attachments — behind much of the recent uptick in phishing against companies worldwide. The attacks trick people into giving up sensitive information like passwords and card numbers, and the kits have now evolved into a monthly subscription service priced from $300 to $1000 a month.

What the kits do

Phishing kits let cybercriminals create customised campaigns with little technical knowledge. They’re sold on underground forums and marketplaces — sometimes for as little as $100 per kit or per component, such as a template. The malware they deliver can steal email credentials and session cookies, install spyware, and distribute ransomware.

Microsoft Exchange as the attack vector

The campaign uses Microsoft Exchange as a delivery vector, which helps the messages look legitimate and slip past many email filters. The emails go out to large numbers of recipients in high volume, and the operators see enough success that Microsoft felt the need to warn users directly.

Why it works

A typical attack looks like an email from a bank or financial institution asking you to click a link or open an attachment. The destination looks like an official login page — but it’s harvesting your credentials for later use. Security vendors catch many of these before they land, often on keywords like ‘password reset’ or ‘account verification,’ but the sheer volume means some always get through to people who don’t know the signs.

Conclusion

Microsoft identified at least two kits being used to push malicious attachments and URLs at scale, using Exchange as the vector. It’s working with law enforcement and other vendors to trace the source, and says its own systems have been detecting and blocking these emails. The defence for the rest of us hasn’t changed: MFA, scepticism toward ‘urgent’ account emails, and never logging in through a link you didn’t initiate.