Microsoft Outlook
Image: Ed Hardie via Unsplash

New phishing tool hijacked thousands of Microsoft business email accounts

Researchers have uncovered a hidden “phishing empire” targeting businesses in Europe, Australia and the U.S. with a sophisticated new tool.

A hacking group called W3LL, which has been active since at least 2017, has created an English-language underground marketplace to sell a phishing kit that can bypass multi-factor authentication, according to a report by cybersecurity firm Group-IB.

Their targeted buyers are "criminals of all skill levels" who want to engage in business email compromise (BEC) attacks, which involve defrauding a company through messages that appear to be official.

The W3LL kit was specifically designed to hack corporate Microsoft 365 accounts and is “one of the most efficient and sophisticated tools in its niche,” the researchers said. The toolkit gets around multi-factor authentication by positioning itself between the victim and Microsoft, Group-IB said, allowing attackers to intercept session cookies.

Microsoft 365 includes Outlook email services and other software like Word, Excel, PowerPoint and Teams. It is used by more than 345 million people in 150 countries. The FBI continues to warn about BEC scams affecting all types of corporate email systems.

From October of last year to July of this year, W3LL's phishing tools were employed to target over 56,000 corporate Microsoft 365 accounts, with at least 8,000 of them successfully compromised, Group-IB said.

The actual number of victims and the final impact could be even more far-reaching, the report said.

W3LL primarily targets manufacturing, IT, finance, consulting, healthcare and legal services in the U.S., Australia, the U.K., and several European countries.

According to Group-IB’s rough estimates, the W3LL’s store’s revenue for the last 10 months may have reached $500,000.

The developers sell a three-month phishing kit subscription for $500, with an additional $150 monthly fee. Buyers must not only get the kit but also purchase a license to make it work.

Aside from its primary phishing tool, W3LL offers a range of other items for sale, including compromised email accounts, lists of victim emails, access to compromised servers and websites, custom phishing lures, and VPN accounts.

By combining these tools, threat actors could easily run complex and highly effective phishing campaigns on a large scale, the researchers said.

For the past 10 months, Group-IB has identified almost 900 unique phishing websites that can be attributed to W3LL tools. Around 500 individual threat actors are currently using W3LL tools.

In order to use the kit, they must validate each phishing page with a unique token. This keeps the tool in check and prevents unauthorized resale by other vendors, according to the report.

After hacking a target, cybercriminals can benefit from the attack in several ways. This includes data theft, carrying out fake invoice scams, or spreading malware using the compromised email.

No matter which scheme they opt for, a company that has experienced such an attack may face consequences like financial losses, data breaches, harm to their reputation, demands for compensation, and possibly even lawsuits, the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.