W3LL ‘Phishing Empire’ Attacks and Breaches Microsoft 365 Accounts

Highlights:

• After identifying the group and its tools, group-IB’s analysts determined that between October 2022 and July 2023, the tools had been used to target over 56,000 corporate Microsoft 365 email accounts in the United States, Australia, and Europe.
• The Group-IB study, which is only now describing the store, says that the threat actor is thought to have existed since 2017, when the W3LL SMTP sender, a customer tool for bulk email spam, was first released.

A recent study from cybersecurity services provider Group-IB Global Pvt. Ltd. issues a warning about a threat actor operating a “phishing empire” that targets Microsoft 365 accounts and is virtually unknown.

The organization, known as “W3LL,” manages the W3LL Store, a secret underground market that caters to a closed community of at least 500 threat actors. In addition to 16 additional specially made tools for business email compromise or BEC attacks, the group now sells a customized phishing kit dubbed the W3LL Panel on the site that is made to get beyond multifactor authentication.

After identifying the group and its tools, group-IB’s analysts determined that between October 2022 and July 2023, the tools had been used to target over 56,000 corporate Microsoft 365 email accounts in the United States, Australia, and Europe. Selling hacking tools is also a rather successful endeavor; according to the researchers, the W3LL Store generated around USD 500,000 in revenue in the previous ten months.

The Group-IB study, which is only now describing the store, says that the threat actor is thought to have existed since 2017, when the W3LL SMTP sender, a customer tool for bulk email spam, was first released. Later, a phishing kit for specific Microsoft 365 business accounts was created.

Due to the success of the Microsoft 365 phishing kit, the organization debuted its underground, secret, English-language market in 2018. With time, the market has developed into a BEC ecosystem that is entirely self-sufficient and provides a complete range of phishing services, including personalized phishing tools and others like mailing lists and access to hacked servers.

As of August, some of the tools in the store were a malicious link stager called W3LL Redirect, SMTP senders PunnySender and W3LL Sender, a vulnerability scanner called OKELO, and an automated account-finding tool called CONTOOL.

Pyry Avist, Chief Technological Officer and Co-founder of Hoxhunt Ltd., an enterprise security awareness solutions provider, reported, “The W3LL phishing kit and the details of its business model signal the smoke before the coming wildfire of adversary-in-the-middle proxy attacks. AiTMs are the future of phishing because they’re extremely effective, hard to identify and detect and, most concerning, they are becoming easier to use.”

Avist noted that due to their design to circumvent MFA, AiTMs possess the capacity to diminish the independent security impact of MFA.

“Such detailed insights into the W3LL phishing-as-a-service model helps us understand what we’re up against — a sophisticated criminal organization that operates like a business. Sometimes we forget that cybercrime is a multibillion-dollar industry, whose economics dictate most threat actors’ activities,” Avist added.