W3LL Panel Phishing Kit Used to Hijack Over 56,000 Microsoft 365 Accounts | Cyware Hacker News
A relatively unknown threat group W3LL, which started six years ago with a custom tool for bulk email spam, is now running a massive operation by selling a phishing kit that targets Microsoft 365 business email accounts.
According to researchers from Group-IB, the group has gone to great lengths to stay under the radar while serving a community of at least 500 threat actors on a private underground marketplace, named W3LL Store.
Diving into detail
The phishing kit called W3LL Panel is being offered along with 16 other custom tools that can be used in BEC attacks and are designed to bypass MFA protections.
- These tools are available at a fairly reasonable price and include SMTP senders (PunnySender and W3LL Sender), a malicious link stager (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery instrument (CONTOOL), reconnaissance tools, and others.
- It is observed that the W3LL threat group regularly updates its tools with new functionalities and anti-detection mechanisms.
- This, in turn, has enabled the group to make a profit of about $500,000 over the past 10 months.
Multipurpose tools
Cybercriminals can use the kit and its tools in various ways. After compromising a target account, they can steal data, run fake invoice scams, impersonate account owners, or distribute malware through the compromised account.
Popular targets
Group-IB identified close to 850 unique phishing websites attributed to the W3LL Panel.
- In the past 10 months, the phishing kit and other tools were employed to target more than 56,000 Microsoft 365 accounts across the U.S., Europe, and Australia.
- Of those, more than 8,000 were compromised and most of the targets were in the manufacturing, IT, financial services, consulting, healthcare, and legal service sectors.
Ending notes
Automating a variety of attacks has been one of the key reasons for the rising popularity of phishing kits. While W3LL Panel is just one case, there was a report of a surge in EvilProxy phishing attacks in the last five months. These phishing kits remain a potential threat in today’s dynamic threat landscape, which emphasizes the importance of staying up-to-date about changing TTPs used by threat actors.