Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

W3LL Phishing Kit Steals Microsoft Logins

May 20, 2025
Reading Time: 3 mins read
in Alerts
W3LL Phishing Kit Steals Microsoft Logins

A sophisticated phishing campaign is actively targeting users’ valuable Microsoft Outlook credentials. This campaign employs the W3LL Phishing Kit alongside elaborate and deceptive impersonation techniques. Group-IB security researchers first identified this dangerous phishing-as-a-service (PhaaS) tool in 2022. Since then W3LL has evolved into a comprehensive and dangerous phishing ecosystem for criminals. This ecosystem even includes its own dedicated marketplace which is called the W3LL Store. There malicious actors can fully customize their phishing campaign capabilities according to specific needs. The primary goal remains harvesting sensitive login information from many unsuspecting online users. This highly adaptable toolkit poses a significant threat to individuals and also organizations.

The campaign primarily focuses on effectively harvesting users’ Microsoft 365 account login credentials. It achieves this by employing advanced adversary-in-the-middle (AitM) session hijacking techniques. These AitM methods allow attackers to successfully hijack active user session cookies. They can also cleverly bypass widely used multi-factor authentication (MFA) security mechanisms. The W3LL kit lures its unsuspecting victims through very convincing phishing email messages. These deceptive emails then direct users to carefully crafted and fake phishing login pages. These pages often impersonate legitimate online services like Adobe’s Shared File platform. Security researchers from Hunt.io recently identified this active and ongoing phishing campaign.

Their investigation began while they were analyzing suspicious content found in open directories.

Hunt.io’s analysis revealed a complex server infrastructure supporting this widespread phishing campaign. This infrastructure is efficiently designed to capture stolen user credentials from many victims. The stolen data is then immediately funneled directly to various attacker-controlled remote servers. Researchers particularly noted that the phishing pages are always meticulously and deceptively designed. They closely mimic the authentic look and feel of real login portals, tricking users. This careful mimicry makes quick detection very challenging for most average internet users. When examining servers investigators found multiple folders specifically named “OV6” on them. This “OV6” folder name is a telltale signature of the W3LL phishing kit. The phishing flow starts when users see a fake Adobe Shared File service page.

It prompts login to access a supposedly shared document but harvests their entered credentials.

The W3LL phishing kit also employs quite sophisticated obfuscation techniques to avoid discovery. These clever methods help it to successfully evade both detection and detailed technical analysis. One notable obfuscation method is its use of IonCube an encryption tool for PHP code. Using IonCube significantly slows down any research and also reverse engineering attempts. The OV6_ENCODED directory on servers reveals many heavily obfuscated PHP script files. These files are designed to hide the kit’s core functionality from security researchers. They also help it avoid detection by most automated security scanning software tools. A special config.php file is used to manage the kit’s operational configuration settings. This configuration allows attackers to customize various aspects of their illicit phishing campaigns. Network indicators include an open directory and infrastructure using old Let’s Encrypt certificates.

Reference:

  • W3LLs Phishing Enables Adversary-in-the-Middle Attacks To Steal Microsoft 365 Logins
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

Water Curse Group Hits Developers Via GitHub

Water Curse Group Hits Developers Via GitHub

June 17, 2025
Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

June 17, 2025
Water Curse Group Hits Developers Via GitHub

CISA Warns Of Apple Zero Click Exploit

June 17, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

PyPI Malware Steals AWS, CI/CD, macOS Data

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

Image Hiding in DNS TXT Records

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

June 16, 2025

Latest Alerts

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Subscribe to our newsletter

    Latest Incidents

    Zoomcar Data Breach Hits 8.4 Million Users

    Gunra Claims 45TB Hack On Colombia Justice

    Qilin Gang Leaks Asefa FC Barcelona Data

    Canada WestJet Airline Contains Cyberattack

    Hackers Leak 10K VirtualMacOSX Customer Data

    Washington Post Investigates Cyberattack on Emails

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial