Security News > 2023 > September > W3LL phishing kit hijacks thousands of Microsoft 365 accounts, bypasses MFA
A threat actor known as W3LL developed a phishing kit that can bypass multi-factor authentication along with other tools that compromised more than 8,000 Microsoft 365 corporate accounts.
In ten months, security researchers discovered that W3LL's utilities and infrastructure were used to set up about 850 phishing that targeted credentials for more than 56,000 Microsoft 365 accounts.
"W3LL's major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities" - Group-IB. W3LL arsenal for BEC attacks.
This is the W3LL Panel phishing page ready to collect Microsoft 365 account credentials.
Group-IB researchers explain that the initial link in a phishing lure does not lead to the fake Microsoft 365 login page in the W3LL Panel and it is only the start of a redirect chain intended to prevent the discovery of W3LL Panel phishing pages.
For W3LL to compromise a Microsoft 365 account, it uses the adversary/man-in-the-middle technique, where communication between the victim and the Microsoft server passes through the W3LL Panel and the W3LL Store acting as a backend system.
News URL
Related news
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- New Rockstar 2FA phishing service targets Microsoft 365 accounts (source)
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Microsoft 365 Admin portal abused to send sextortion emails (source)
- Microsoft now testing hotpatch on Windows 11 24H2 and Windows 365 (source)
- Microsoft disrupts ONNX phishing-as-a-service infrastructure (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Microsoft 365 outage takes down Office web apps, admin center (source)
- Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts (source)