A “phishing empire” has been targeting businesses across Europe, the United States, and Australia. From October 2022 to July 2023, over 56,000 corporate Microsoft 365 accounts were targeted by phishing tools, leading to at least 8,000 of them being compromised.
W3LL, the group behind the attacks, has been active since at least 2017. They recently started selling a phishing kit in its newly launched English-language underground marketplace.
Why it matters: According to researchers from Group-IB, the kit is “one of the most efficient and sophisticated tools in its niche,” making it a major cause for concern. It gives attackers the ability to capture session cookies and enables them to bypass multi-factor authentication by placing itself between the victim and Microsoft.
- Targeted buyers of the phishing kit are criminals of varying skill levels who want to take part in schemes to defraud companies through messages that look official, otherwise known as business email compromise (BEC) attacks.
- Developers of the kit sell it via a three-month subscription model for $500 alongside an additional $150 monthly fee. The W3LL’s store’s revenue over the last 10 months currently sits around $500,000 according to Group-IB’s estimates.
- The group also sells custom phishing lures, VPN accounts, compromised email accounts, and other shady tools on its marketplace. If threat actors combined these tools, they could implement large-scale phishing campaigns and inflict significant damage on individuals and organizations.
- Organizations, especially those in the manufacturing, IT, finance, consulting, healthcare, and legal services sectors need to be on high alert. These attacks could open them up to data breaches, major financial losses, and ultimately harm to their reputation.
Go Deeper —> New phishing tool hijacked thousands of Microsoft business email accounts – The Record