Security news that informs and inspires

W3LL Phishing Kit Targets Microsoft 365 Accounts


A threat group, active for six years, has created an underground marketplace where it sells at least 16 custom tools and an advanced phishing kit to a clientele of at least 500 threat actors.

Researchers have discovered a threat actor that has been developing and selling custom tools for cybercriminals to use in phishing attacks. The group’s tools were used to target more than 56,000 Microsoft 365 business email accounts from October 2022 until July 2023 - 8,000 of which were compromised.

The group, called W3LL, has created an advanced phishing kit called W3LL Panel OV6, as well as 16 other tools that help cybercriminals launch various aspects of phishing and business email compromise attacks. They are all being sold on the threat actor’s underground market called W3LL Store, which is frequented by at least 500 threat actors.

“What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels,” said Anton Ushakov, deputy head of Group-IB’s High-Tech Crime Investigation Department, Europe, in a Wednesday analysis.

In 2022, researchers came across W3LL while investigating a phishing attack against an unnamed aviation company in the Asia-Pacific region. They were then able to identify Telegram chats and other infrastructure controlled by the threat actor, which gave them further insights into its malicious activity.

“By analyzing the infrastructure and examining W3LL Store, we estimated the number of threat actors who use W3LL’s tools for BEC-focused phishing campaigns as well as the number of their potential targets together with the damages caused, which amount to hundreds of thousands, if not millions, of euros per victim,” said researchers.

“W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones, which underlines the importance of staying up-to-date with the most recent changes in their TTPs."

Though it was only discovered last year, W3LL has been active for six years. The biggest tool in its arsenal is the W3LL Panel OV6 phishing kit, used to harvest and verify victim credentials, and obtain authenticated session cookies (via adversary-in-the-middle attacks). The kit includes a custom admin panel allowing cybercriminals to configure and manage their phishing campaigns, and anti-detection features built in like source code obfuscation and anti-bot functionalities (via a Google reCAPTCHA verification check).

“W3LL’s key weapon is a private AitM phishing kit called W3LL Panel OV6 (W3LL Panel), which allows adversaries to bypass MFA and compromise corporate email accounts all around the world,” said researchers with Group-IB. “The phishing kit was created to compromise corporate Microsoft 365 accounts specifically and includes many noteworthy implementations, which makes it one of the most advanced phishing kits in its class.”

In addition to its W3LL Panel OV6, the threat group has also sold other tools for use in phishing attacks. This includes multiple SMTP senders, which are tools used for bulk email spam that deliver phishing emails or attachments; a malicious link stager that generates the phishing links and aims to protect phishing pages from detection by filtering visitors; as well as a vulnerability scanner and reconnaissance tools.

Over the past ten months, researchers said they have identified at least 858 unique phishing websites attributed to these tools. The businesses targeted with W3LL’s tools have been located in the U.S., Europe and Australia, and are in the manufacturing, IT, financial services, consulting, healthcare, and legal services sectors.

Researchers said that by combining and selling its tools together, W3LL is enabling threat actors to run highly effective BEC phishing campaigns. Overall, developers behind phishing kits are getting better at innovating their products and making them more accessible as the demand for phishing tools continues to grow, as seen with the Greatness and Caffeine phishing services.

“W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones, which underlines the importance of staying up-to-date with the most recent changes in their TTPs,” said researchers.