Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

W3LL Phishing Kit Steals Microsoft Logins

May 20, 2025
Reading Time: 3 mins read
in Alerts
W3LL Phishing Kit Steals Microsoft Logins

A sophisticated phishing campaign is actively targeting users’ valuable Microsoft Outlook credentials. This campaign employs the W3LL Phishing Kit alongside elaborate and deceptive impersonation techniques. Group-IB security researchers first identified this dangerous phishing-as-a-service (PhaaS) tool in 2022. Since then W3LL has evolved into a comprehensive and dangerous phishing ecosystem for criminals. This ecosystem even includes its own dedicated marketplace which is called the W3LL Store. There malicious actors can fully customize their phishing campaign capabilities according to specific needs. The primary goal remains harvesting sensitive login information from many unsuspecting online users. This highly adaptable toolkit poses a significant threat to individuals and also organizations.

The campaign primarily focuses on effectively harvesting users’ Microsoft 365 account login credentials. It achieves this by employing advanced adversary-in-the-middle (AitM) session hijacking techniques. These AitM methods allow attackers to successfully hijack active user session cookies. They can also cleverly bypass widely used multi-factor authentication (MFA) security mechanisms. The W3LL kit lures its unsuspecting victims through very convincing phishing email messages. These deceptive emails then direct users to carefully crafted and fake phishing login pages. These pages often impersonate legitimate online services like Adobe’s Shared File platform. Security researchers from Hunt.io recently identified this active and ongoing phishing campaign.

Their investigation began while they were analyzing suspicious content found in open directories.

Hunt.io’s analysis revealed a complex server infrastructure supporting this widespread phishing campaign. This infrastructure is efficiently designed to capture stolen user credentials from many victims. The stolen data is then immediately funneled directly to various attacker-controlled remote servers. Researchers particularly noted that the phishing pages are always meticulously and deceptively designed. They closely mimic the authentic look and feel of real login portals, tricking users. This careful mimicry makes quick detection very challenging for most average internet users. When examining servers investigators found multiple folders specifically named “OV6” on them. This “OV6” folder name is a telltale signature of the W3LL phishing kit. The phishing flow starts when users see a fake Adobe Shared File service page.

It prompts login to access a supposedly shared document but harvests their entered credentials.

The W3LL phishing kit also employs quite sophisticated obfuscation techniques to avoid discovery. These clever methods help it to successfully evade both detection and detailed technical analysis. One notable obfuscation method is its use of IonCube an encryption tool for PHP code. Using IonCube significantly slows down any research and also reverse engineering attempts. The OV6_ENCODED directory on servers reveals many heavily obfuscated PHP script files. These files are designed to hide the kit’s core functionality from security researchers. They also help it avoid detection by most automated security scanning software tools. A special config.php file is used to manage the kit’s operational configuration settings. This configuration allows attackers to customize various aspects of their illicit phishing campaigns. Network indicators include an open directory and infrastructure using old Let’s Encrypt certificates.

Reference:

  • W3LLs Phishing Enables Adversary-in-the-Middle Attacks To Steal Microsoft 365 Logins
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

New Malware Uses Prompts To Trick AI Tools

Fake Job Offers Hide North Korean Malware

June 26, 2025
New Malware Uses Prompts To Trick AI Tools

New Malware Uses Prompts To Trick AI Tools

June 26, 2025
New Malware Uses Prompts To Trick AI Tools

New Zero Day Flaw Hits Citrix NetScaler

June 26, 2025
OneClik Malware Attacks Energy Sector Firms

Hackers Abuse Trezor Support For Phishing

June 25, 2025
OneClik Malware Attacks Energy Sector Firms

FileFix Attack Turns Explorer Into Weapon

June 25, 2025
OneClik Malware Attacks Energy Sector Firms

OneClik Malware Attacks Energy Sector Firms

June 25, 2025

Latest Alerts

Fake Job Offers Hide North Korean Malware

New Malware Uses Prompts To Trick AI Tools

New Zero Day Flaw Hits Citrix NetScaler

Hackers Abuse Trezor Support For Phishing

FileFix Attack Turns Explorer Into Weapon

OneClik Malware Attacks Energy Sector Firms

Subscribe to our newsletter

    Latest Incidents

    Resupply DeFi Protocol Hacked For $9.6M

    Cyberattack Hits South Tyrol Emergency Ops

    UK’s Glasgow City Council Hit By Cyberattack

    Columbia University Probes Major IT Outage

    Mainline Health Breach Hits 101,000 Patients

    Porto Nacional City Hall Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial