W3LL Panel: A Phishing Campaign Against 8000+ Microsoft 365 Accounts

Over the last six years, a previously unrecorded “phishing empire” has been tied to cyber attacks targeting Microsoft 365 business email accounts.

Group-IB Analysis

“The threat actor established an underground marketplace called W3LL Store, catering to a closed community of at least 500 threat actors who could buy a customized phishing kit named W3LL Panel, designed to circumvent MFA, along with 16 other fully tailored tools for business email compromise (BEC) attacks,” stated Group-IB in a report.

Noteworthy Statistics

This phishing network is believed to have aimed at 

• over 56,000 corporate Microsoft 365 accounts, successfully compromising at least 8,000 of them, with a primary focus on the U.S., U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy between October 2022 and July 2023, raking in illicit profits totalling $500,000 for its operators.

Sectors Compromised

Multiple sectors fell prey to this phishing scheme, including manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB identified nearly 850 phishing websites linked to the W3LL Panel during the same timeframe.

Strengths of W3LL

The company has described W3LL as a comprehensive phishing tool that offers a wide range of services from 

• custom phishing tools to mailing lists and access to compromised servers, emphasizing the growing trend of phishing-as-a-service (PhaaS) platforms.

• A key element of W3LL’s malware is an adversary-in-the-middle (AiTM) phishing kit capable of bypassing multi-factor authentication (MFA) safeguards. It’s available for $500 for a three-month subscription, followed by a monthly fee of $150.

• The panel incorporates anti-bot features to evade automated web content scanners, extending the lifespan of their phishing and malware campaigns.

Operating since 2017, the threat actor responsible for this kit has a history of developing tailored software for mass email spam before venturing into setting up phishing tools to compromise corporate email accounts.

Beware of Secret Phishing Syndicate

BEC attacks employing the W3LL phishing kit include a preparatory phase.

Phase 1: Verify email addresses using an auxiliary tool called LOMPAT and deliver the phishing messages. Recipients who click the deceptive link or attachment are guided through an anti-bot script to weed out unauthorized visitors. 

Phase 2: Directed to the phishing landing page via a redirect chain utilizing AiTM tactics to harvest credentials and session cookies.

Phase 3: Armed with this access, the threat actor logs in to the victim’s Microsoft 365 account without triggering MFA, automatically identifying accounts on the host using a customized tool called CONTOOL, and gathering emails, phone numbers, and other data.

• Some noteworthy tactics employed by the malware author involve using Hastebin, a file-sharing service, to store stolen session cookies, along with Telegram and email for transmitting the credentials to criminal actors.

The image posted in the article is directly from us – we typically use HasteBin to display text-images. pic.twitter.com/IlDr2IdTyJ

— vx-underground (@vxunderground) January 17, 2023

“What sets W3LL Store and its products apart from other underground markets is that W3LL established not just a marketplace but a complex phishing ecosystem with a fully adaptable toolset that covers almost the entire BEC killchain, accessible to cybercriminals of varying technical skill levels,” remarked Group-IB’s Anton Ushakov.

“The rising demand for phishing tools has spawned a thriving underground market, attracting more vendors. This competition fuels ongoing innovation among phishing developers, aiming to enhance the efficiency of their malicious tools with new features and approaches to their criminal operations.”

Microsoft warned about the proliferation of AiTM techniques facilitated through PhaaS platforms like EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, enabling users to access privileged systems at scale without re-authentication.

Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model.

In addition to an uptick in AiTM-capable PhaaS platforms, the techhttps://t.co/w4M3zP80Wt pic.twitter.com/oivF7nFfLR

— SPIXNET – High Secure E-Mail Solutions (@SpixnetG) August 31, 2023

Not sure, but stunned!

Such a comprehensive underground marketplace highlights the demand for phishing tools in the cybercriminal community. Intense competition among vendors drives continuous innovation, resulting in increasingly efficient and adaptable malicious tools.

W3LL’s phishing empire exemplifies the changing demands of cyber threats, particularly in BEC attacks. Organizations must remain vigilant, enhance their email security measures, and educate their personnel about the risks of such sophisticated phishing campaigns.