Security researchers have exposed the activities of a threat actor known as W3LL, who has developed a highly sophisticated phishing kit capable of bypassing multi-factor authentication (MFA). Over 8,000 Microsoft 365 corporate accounts have been compromised using W3LL’s custom phishing tools, which are operated by a community of at least 500 cybercriminals.
These malicious tools cover the entire spectrum of a Business Email Compromise (BEC) operation, making them accessible to cybercriminals of varying technical skill levels.W3LL’s nefarious journey began in 2017 when they started offering a bulk email sending tool called W3LL SMTP Sender.
However, it wasn’t until they began selling a custom phishing kit focused on Microsoft 365 corporate accounts that their popularity and business took off. They established the W3LL Store, a marketplace catering exclusively to cybercriminals, where they promoted and sold their tools.
Notably, W3LL Panel, a component of their toolkit, is considered one of the most advanced phishing kits, featuring adversary-in-the-middle functionality, API access, source code protection, and more.W3LL’s tools employ various obfuscation methods to evade email filters and security agents.
They deliver phishing links through HTML attachments to avoid detection. These links initiate a series of redirects, eventually compromising Microsoft 365 accounts using an adversary/man-in-the-middle (AitM/MitM) technique. The attacker’s objective is to obtain the victim’s authentication session cookie, granting access to the compromised account. This report underscores the significant risks posed by W3LL and their tools to organizations and their security.
