The W3LL actor [2] [4] [5] [7] [8], a cybercrime group [1], has been conducting a covert phishing operation targeting corporate Microsoft 365 business email accounts for the past six years. Recently, security researchers at Singapore-based Group-IB uncovered this operation and notified law enforcement agencies.
Description
The W3LL actor has created an underground market called the W3LL Store [7], where at least 500 threat actors can purchase a custom phishing kit called the W3LL Panel [5]. This sophisticated tool is designed to bypass multi-factor authentication (MFA) and has been regularly updated for maximum effectiveness. It has been responsible for close to 850 unique phishing websites between October 2022 and 2023.
The operation has targeted over 56,000 corporate Microsoft 365 accounts globally [6], compromising at least 8,000 of them [4] [5]. The attacks primarily affect organizations in the U.S. [5], U.K. [5], Australia [2] [3] [5] [7], Germany [5], Canada [5], France [5], the Netherlands [5], Switzerland [5], and Italy [5]. The phishing infrastructure has infiltrated various sectors, including manufacturing [5], IT [3] [5], consulting [3] [5], financial services [3] [5], healthcare [3] [5], and legal services [3] [5].
The W3LL Panel phishing kit, which is part of the W3LL actor’s arsenal, includes 16 custom tools designed for business email compromise (BEC) attacks and bypassing MFA protections [3]. The group operates an underground marketplace called the W3LL Store [1] [3], where users can purchase the phishing kit [2] [3]. The store offers user support [3], videos for hackers [3], and a referral bonus program [3]. The W3LL Panel kit is activated through a token-based method to prevent reselling or theft of the source code [3]. The group has sold over 3,800 items through the marketplace and currently has more than 12,000 items for sale [3]. W3LL regularly updates its tools and adds new functionalities [3].
Conclusion
The W3LL actor has been linked to almost 850 phishing sites and has targeted more than 56,000 Microsoft 365 business accounts [3], compromising over 8,000 of them [3] [4] [5]. The targets are primarily in the manufacturing [3], IT [3] [5], financial services [3] [5], consulting [3] [5], healthcare [3] [5], and legal services sectors [3] [5]. The W3LL phishing kit and its business model indicate the rise of adversary-in-the-middle proxy attacks [2] [3], which can bypass MFA protections and reduce their effectiveness [3]. The W3LL actor operates as a sophisticated criminal organization and highlights the multi-billion-dollar industry of cybercrime [3]. According to Group-IB, the researchers who discovered W3LL [1], the group has made at least $500,000 in sales from their cybercrime toolkit [1].
References
[1] https://cyberscoop.com/phishing-w3ll-microsoft-365-fraud/
[2] https://www.scmagazine.com/news/w3ll-groups-phishing-tools-used-to-target-56000-corporate-microsoft-365-accounts
[3] https://securityboulevard.com/2023/09/w3ll-targets-microsoft-365-accounts-with-sophisticated-phishing-kit/
[4] https://www.redpacketsecurity.com/w-ll-store-how-a-secret-phishing-syndicate-targets-microsoft-accounts/
[5] https://thehackernews.com/2023/09/w3ll-store-how-secret-phishing.html
[6] https://www.computerweekly.com/news/366551092/Meet-the-professional-BEC-op-that-targeted-Microsoft-365-users-for-years
[7] https://publisher.tbsnews.net/world/w3ll-behind-phishing-attack-over-56000-microsoft-365-business-accounts-group-ib-696034
[8] https://www.infosecurity-magazine.com/news/experts-uncover-underground/
