Thousands of Microsoft 365 accounts under threat from W3LL phishing kit

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Hundreds of threat actor groups are using a highly advanced phishing kit to target corporate Microsoft 365 accounts, with relative success, according to a new report from cybersecurity experts Group-IB. 

The phishing kit is called W3LL, and it’s been in development since at least 2017. In that time, the kit grew and improved, and with it - its popularity rose, with more than 500 groups currently using it.

Those groups have managed to create roughly 850 phishing campaigns, which sought to steal Microsoft 365 credentials from more than 56,000 accounts. Apparently, they succeeded in some 8,000 instances. The result is, the researchers say, “millions of dollars” in financial losses, and possibly millions of files stolen from endpoints.

W3LL phishing attacks

One of W3LL’s key selling propositions is the ability to bypass multi-factor authentication, the experts said. Also, as it covers almost the entire kill chain in a Business Email Compromise (BEC) operation, it can be used by crooks “of all technical skill levels”. Finally, W3LL has its own app store, where cybercriminals can purchase different tools, modules, and such. 

Some of the key tools, as per the report, include SMTP senders PunnySender and W3LL Sender, a malicious link stager called W3LL Redirect, a vulnerability scanner called OKELO, an automated account discovery utility CONTOOL, and an email validator called LOMPAT.

“W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities,” Group-IB explained. 

Phishing is one of the most popular, and basic, attack verticals. It’s cheap to set up and can easily be automated. With email’s wide reach, the potential of phishing attacks is unparalleled. Even today, most cyberattacks start with an email message that either carries a malicious attachment, or a link.

Via: BleepingComputer

More security news from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.