W3LL Gang Compromises Thousands of Microsoft 365 Accounts

A secretive phishing cabal boasts a sophisticated affiliate network and a modular, custom toolset that's claiming victims on three continents.

The Microsoft 365 logo is seen displayed on a smartphone and Microsoft logo in the background
Source: Igor Golovnov via Alamy Stock Photo

A sprawling phishing empire from a threat actor known as W3LL is spreading globally, successfully compromising more than 8,000 corporate Microsoft 365 business accounts in the last 10 months in Australia, Europe, and the US.

According to an investigation by Group-IB, W3LL's tools have targeted at least 56,000 Microsoft 365 accounts since last October, and enjoy a compromise success rate of 14.3%. The firm's researchers have identified close to 850 unique phishing websites attributed to the cybergang's tooling within the same time period, targeting a range of industries, including manufacturing, IT, financial services, consulting, healthcare, and legal services.

To boot, W3LL has created an eponymous, private underground market that serves a network of more than 500 cybercriminals, who can make use of a highly sophisticated phishing kit known as the W3LL Panel to set up their campaigns.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost the entire kill chain of BEC and can be used by cybercriminals of all technical skill levels," said Anton Ushakov, deputy head of Group-IB's High-Tech Crime Investigation Department, Europe, in a statement.

The secretive community has stayed under the radar for nearly six years, the researchers said.

"The developer does not advertise the W3LL store and asks their customers to refrain from spreading word about it online," according to Group-IB's findings on W3LL, released Sept 6. "Due to its high efficiency, the phishing kit became trusted by a narrow circle of BEC criminals … [and] each copy of W3LL Panel has to be enabled through the token-based activation mechanism, which prevents the kit from being resold or its source code being stolen."

3LL-Oiled: Inside a Comprehensive Phishing Panel

The W3LL Panel is specifically designed to target Microsoft 365 accounts, with multifactor authentication (MFA) bypass capabilities and 16 other "fully customized tools" for carrying out business email compromise (BEC) attacks. These include licensable modules like SMTP senders (PunnySender and W3LL Sender), a malicious link stager (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery instrument (CONTOOL), reconnaissance tools, and many more, Group-IB researchers noted.

It's available to phishing-as-a-service affiliates, who are offered a 70/30 split with the house on profits, researchers said. The market also offers a 10% "referral bonus" for bringing other trusted affiliates into the community. Collectively, campaigns have netted $500,000 for the W3LL crew since last October.

Since 2018, "the platform [has] evolved into a fully sufficient BEC ecosystem offering an entire spectrum of phishing services for cybercriminals of all levels, from custom phishing tools to supplementary items such as mailing lists and access to compromised servers," according to Group-IB's findings, which noted that W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones.

Researchers added, "W3LL Store provides 'customer support' through a ticketing system and live webchat. Cybercriminals who do not have the skills required to leverage the tools can watch video tutorials."

Phishers using W3LL Panel may be interested in using compromised email accounts for any number of purposes, according to Group-IB, including data theft, fake invoice scams, account owner impersonation, or malware distribution.

"The consequences for a company that has suffered a BEC attack can go beyond direct financial losses (which may range from thousands to millions of dollars), and could extend to data leaks, reputational damage, compensation claims, and even lawsuits," the researchers noted.

W3LL Brings Dangerous Sophistication to Phishers

Phishing kits and phishing-as-a-service offerings are nothing new, but W3LL's highly efficient processes and professionalized business model signifies an evolution in sophistication, and organizations need to double down on their cyber protections for email-borne threats, researchers note.

"Enterprises need to understand that they are not dealing with some kid in their parents' basement trying to write code; these are well organized and large-scale operations with plenty of resources at their disposal," says Erich Kron, security awareness advocate at KnowBe4. "We certainly haven't seen the end of this type of evolution in cybercrime. Artificial intelligence (AI) will augment these offensive offerings just as they do on the defensive side, so organizations and individuals need to be prepared for more convincing attacks, whether through the phone, text messages, or email, or even a combination of these."

To protect themselves, enterprises need to take a layered approach to cybersecurity, says David Raissipour, chief technology and product officer at Mimecast.

"They must monitor login activity for anomalies related to compromised accounts," he says. "They must regularly reset passwords and enforce MFA (even with this threat posing new challenges). Finally, they must train their employees to question unusual requests, even if they are seemingly from trusted sources."

But he adds that it's not just enterprise targets who have responsibility to combat the rising tide of phishing. Echoing other criticisms, Raissipour says that Microsoft has culpability for successful attacks too.

"Vendors must take similar steps to protect their platforms and their customers," he notes. "The problem is that vendors aren't being held accountable for transparently and proactively communicating updates and issues. If there is time for a bad actor to build a toolkit, it means a vendor knew and stood by until the damage was done. Microsoft is a dominant platform provider and it is time they put their customers ahead of their reputation and profits."

Microsoft did not immediately respond to a request for comment.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights