Bolster Secures $14M Funding Led by Microsoft's M12 to Enhance CheckPhish Phishing Tracker

A deceptive email featuring a seemingly legitimate link is still one of the most effective tactics used by cybercriminals. An AI startup, Bolster, has developed an innovative solution to counter this threat and has recently secured $14 million in funding to enhance its operations. This includes expanding its popular free phish-checking platform, aptly named CheckPhish, as well as serving its primary clients: brands and businesses.

The funding round was led by Microsoft’s venture fund, M12, marking their first investment in Bolster, with participation from Thomvest Ventures, Crosslink Capital, Liberty Global Ventures, Cheyenne Ventures, Cervin Ventures, and Transform Capital. Although Bolster has not disclosed its valuation, the company has raised approximately $40 million to date.

Bolster’s business model focuses on providing brand and URL verification services to companies that frequently communicate with customers via email, making them prime targets for malicious hackers who aim to impersonate these businesses or create counterfeit branding to sell their own products. Notable clients include industry leaders like Dropbox, Uber, LinkedIn, and Coinbase. The Cybersecurity and Infrastructure Security Agency reports that phishing schemes initiate over 90% of all cyberattacks, which can lead to data breaches, network infiltrations, and device malware.

Setting up fraudulent domain pages that mirror legitimate businesses has become alarmingly easy and inexpensive. “You can purchase tools for as little as $10 or $20 to launch phishing attacks,” explained Bolster CTO Shashi Prakash, who co-founded the company with CEO Abhishek Dubey. Cybercriminals have increasingly leveraged AI to create convincing login pages for banks and to execute phishing operations using "phishing-as-a-service" within minutes.

These attacks have grown more sophisticated and targeted. A recent case involved Mark Read, the CEO of WPP, who was the target of an attempt to solicit funds. While this particular scam was unsuccessful, it highlights the evolving nature of cyber threats.

Bolster utilizes machine learning and AI methodologies to continuously monitor the internet, including URLs, domain registration databases, discussions on forums and social media, as well as client-related emails. This technology identifies malicious activities and initiates automated takedowns of suspicious links at their source.

This method stands out because it complements the various email security tools currently available, which help filter incoming emails. While sorting through emails remains a crucial line of defense, Bolster's approach ensures that even if a malicious link bypasses initial filters, users will find it inoperable upon clicking.

In a landscape where email complexity enhances hacker evasiveness, swiftly identifying and dismantling the source of attacks is invaluable. “Bolster's unique ability to automatically eliminate the origins of these attacks is critical given the extensive scale of these criminal operations,” stated Todd Graham, managing partner at M12. Although Microsoft does not yet have a direct partnership with Bolster, Prakash sees this investment as a precursor to future collaborations.

Microsoft's interest is multifaceted: the company is a leading global brand that sends numerous user emails (I can personally confirm the plethora of “account login” emails from dubious “Microsoft” sources). Additionally, it provides cloud and software services to a vast clientele, positioning it as a key player in the market Bolster aims to serve. Lastly, as Microsoft enhances AI integration across its business, incorporating threat protection will be essential.

Graham noted that despite Bolster primarily serving B2B clients—with CheckPhish aimed at scanning websites rather than providing user-specific tools—the partnership with major brands inherently involves consumer protection. “If an impersonated email appears to come from Microsoft, it’s in the best interest of Microsoft, Wells Fargo, or any other major firm to ensure that deceptive emails are detected,” he added.