W3ll Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

Cyber Security Threat Summary:
An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

“Researchers say that W3LL’s inventory covers almost the entire kill chain of a BEC operation and can be operated by “cybercriminals of all technical skill levels.” In a report today, cybersecurity company Group-IB provides details about W3LL and how it grew to be one of the most advanced malicious developers for BEC groups. The first evidence of W3LL’s activity appears to be from 2017 when the developer started to offer a custom tool for bulk email sending called W3LL SMTP Sender, which was used for spamming. The actor’s popularity and business started to grow when it started to sell a custom phishing kit focused on Microsoft 365 corporate accounts. In 2018, W3LL launched its W3LL Store, an English-speaking marketplace where it could promote and sell its tools to a closed community of cybercriminals, the researchers say” (BleepingComputer, 2023).

In addition to the W3LL Panel, which was created with the intention of circumventing multi-factor authentication (MFA), the attacker offers a collection of 16 additional tools specifically geared towards Business Email Compromise (BEC) attacks. This assortment comprises:

In addition to the W3LL Panel, which was created with the intention of circumventing multi-factor authentication (MFA), the attacker offers a collection of 16 additional tools specifically geared towards Business Email Compromise (BEC) attacks. This assortment comprises:

  • SMTP senders PunnySender and W3LL Sender
  • The malicious link stager W3LL Redirect
  • A vulnerability scanner called OKELO
  • An automated account discovery utility named CONTOOL
  • An email validator called LOMPAT
According to Group-IB, W3LL Store offers solutions for deploying a BEC attack from the initial stage of picking victims, phishing lures with weaponized attachments (default or customized), to launching phishing emails that land in the victims’ inboxes. The researchers say that W3LL is sufficiently skilled to protect its tools from being detected or taken down by deploying and hosting them on compromised web servers and services.

In a newer version, W3LL added more layers of obfuscation and encoding, loading scripts directly from the W3LL Panel instead of including them in HTML code. To compromise a Microsoft 365 account, W3LL employs an adversary/man-in-the-middle (AitM/MitM) technique, passing victim-Microsoft server communication through the W3LL Panel and W3LL Store as a backend system. The process involves CAPTCHA verification, setting up fake login pages, obtaining authentication session cookies, and validating passwords. Once the authentication session cookie is obtained, the victim is shown a PDF document to make the login request seem legitimate. W3LL also utilizes CONTOOL to automate the discovery of emails, phone numbers, attachments, documents, or URLs used by the victim, aiding in lateral movement. It can monitor, filter, and modify incoming emails and send notifications to a Telegram account based on specific keywords.

Security Officer Comments:
The W3LL threat actor has been operational for approximately five years, building a clientele of over 500 cybercriminals who have access to a catalog of over 12,000 offerings. In addition to phishing and BEC-related tools, W3LL offers compromised web services such as web shells, email accounts, and content management systems. They also provide access to SSH and RDP servers, hosting and cloud service accounts, business email domains, VPN credentials, and hijacked email accounts. According to Group-IB researchers, between October 2022 and July 2023, W3LL facilitated the sale of more than 3,800 items, resulting in an estimated turnover surpassing $500,000.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.