A cybercriminal group known as W3LL has been spreading a massive phishing operation globally, successfully compromising over 8,000 corporate Microsoft 365 business accounts in Australia, Europe, and the US over the past 10 months. Group-IB, an investigation firm, has revealed that W3LL’s tools have targeted at least 56,000 Microsoft 365 accounts since October of last year, with a compromise success rate of 14.3%. The group has been able to maintain its operations and evade detection due to its secretive nature and complex phishing ecosystem.
Group-IB researchers have identified close to 850 unique phishing websites linked to W3LL’s tools. These websites target a wide range of industries, including manufacturing, IT, financial services, consulting, healthcare, and legal services. W3LL has also established its own private underground market, known as the W3LL Store, that caters to over 500 cybercriminals worldwide. The store provides a highly sophisticated phishing kit called the W3LL Panel, which allows cybercriminals of all technical skill levels to set up their own phishing campaigns.
Anton Ushakov, deputy head of Group-IB’s High-Tech Crime Investigation Department, Europe, stated that what sets W3LL apart from other underground markets is its comprehensive ecosystem and custom toolset that covers the entire kill chain of business email compromise (BEC) attacks. The group has managed to stay under the radar for nearly six years by not advertising its store and exclusively serving a narrow circle of BEC criminals.
The W3LL Panel is specifically designed to target Microsoft 365 accounts and boasts multifactor authentication (MFA) bypass capabilities along with 16 other customized tools for carrying out BEC attacks. These tools include SMTP senders, a malicious link stager, a vulnerability scanner, an automated account discovery instrument, and reconnaissance tools, among others. The panel is available to phishing-as-a-service affiliates, who receive a 70/30 split on profits and a 10% referral bonus for bringing in trusted affiliates. The W3LL crew has earned approximately $500,000 from their campaigns since October 2020.
Group-IB’s findings reveal that the W3LL Store has evolved into a fully self-sufficient BEC ecosystem since 2018. The store offers a wide range of phishing services, including custom tools, mailing lists, and access to compromised servers. W3LL regularly updates its tools, improving anti-detection mechanisms and creating new functionalities. The store also provides customer support through a ticketing system and live webchat, and offers video tutorials for less skilled cybercriminals.
Phishers who use the W3LL Panel are targeting compromised email accounts for various purposes, including data theft, fake invoice scams, account owner impersonation, and malware distribution. The consequences of a successful BEC attack can extend beyond financial losses to include data leaks, reputational damage, compensation claims, and even lawsuits.
The emergence of W3LL and its sophisticated phishing operations highlight the need for organizations to strengthen their cybersecurity defenses against email-borne threats. Erich Kron, security awareness advocate at KnowBe4, emphasizes that these cybercriminal groups are not amateurs but well-organized operations with abundant resources. Kron also suggests that organizations should prepare for more convincing attacks, as artificial intelligence (AI) will augment offensive offerings in the same way it does for defense.
To protect themselves, enterprises should adopt a layered approach to cybersecurity. David Raissipour, chief technology and product officer at Mimecast, advises monitoring login activity for anomalies related to compromised accounts, regularly resetting passwords, enforcing multifactor authentication, and training employees to question unusual requests.
However, Raissipour also points out that vendors, including Microsoft, should take responsibility for protecting their platforms and customers. He criticizes Microsoft for not transparently and proactively communicating updates and issues, stating that vendors should prioritize customer protection over reputation and profits.
As cybercriminal groups like W3LL continue to evolve and refine their phishing techniques, organizations and vendors alike must remain vigilant and proactive in enhancing their security measures to combat these threats effectively.