Dive Brief:
- A business email compromise phishing kit compromised at least 8,000 corporate Microsoft 365 accounts during the last 10 months, Singapore-based cybersecurity provider Group-IB said Wednesday.
- W3LL, a referral-based dark web marketplace, sells multiple phishing tools and custom phishing kits that bypass multifactor authentication and specifically target Microsoft 365 business accounts, the researchers said. The store has more than 500 active users.
- Threat actors used the phishing tools to target more than 56,000 corporate Microsoft 365 accounts in the U.S., Australia and Europe from last October through July, according to Group-IB. Microsoft did respond to a request for comment.
Dive Insight:
A readily available phishing kit that bypasses MFA and targets Microsoft 365 business accounts — and boasts a 14% success rate per attack — underscores the vibrant cybercriminal market feeding threat actors’ BEC campaigns.
W3LL Panel is a major weapon and “one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection and other unique capabilities,” Group-IB researchers said in the report.
Adversary-in-the-middle phishing techniques proliferate and advance the capabilities of the phishing as a service ecosystem, Microsoft Threat Intelligence said in a post last week on X, the platform formerly known as Twitter.
“This development in the [phishing as a service] ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale,” Microsoft Threat Intelligence said in the thread on X.
The W3LL Panel phishing kit can be combined with 16 additional and fully integrated custom tools that enable threat actors to initiate BEC attacks, according to Group-IB.
“Phishing campaigns involving W3LL tools are highly persuasive and usually involve several W3LL-developed instruments that cover almost the entire killchain of BEC attacks, all the while providing a high level of automation and scalability,” the researchers said.
Threat actors could use compromised access to steal data, send fake invoices, impersonate account owners or distribute malware, the researchers warned.
More than half of the organizations targeted by the BEC campaigns observed by Group-IB are based in the U.S. Organizations in manufacturing, IT, financial services, consulting, healthcare and legal services were the most frequently targeted, according to Group-IB.
“The tools provided even demonstrate that, although useful, MFA is not a silver bullet when it comes to account takeovers due to credential theft,” Erich Kron, security awareness advocate at KnowBe4, said via email.
“When MFA bypasses are part of a standard fare being offered to lower-level cybercriminals, it shows that the technology is limited in its defense,” Kron said.