Skip to main content
close search
site logo
Dive Brief

BEC phishing kit hits thousands of Microsoft 365 business accounts

Threat actors used the W3LL phishing kit to target more than 56,000 accounts, ultimately compromising 14% of them since last October, Group-IB found.

Published Sept. 7, 2023
Matt Kapko's headshot
Senior Reporter
A signage of Microsoft in New York City
Jeenah Moon/Getty Images via Getty Images

Dive Brief:

  • A business email compromise phishing kit compromised at least 8,000 corporate Microsoft 365 accounts during the last 10 months, Singapore-based cybersecurity provider Group-IB said Wednesday.
  • W3LL, a referral-based dark web marketplace, sells multiple phishing tools and custom phishing kits that bypass multifactor authentication and specifically target Microsoft 365 business accounts, the researchers said. The store has more than 500 active users.
  • Threat actors used the phishing tools to target more than 56,000 corporate Microsoft 365 accounts in the U.S., Australia and Europe from last October through July, according to Group-IB. Microsoft did respond to a request for comment.

Dive Insight:

A readily available phishing kit that bypasses MFA and targets Microsoft 365 business accounts — and boasts a 14% success rate per attack —  underscores the vibrant cybercriminal market feeding threat actors’ BEC campaigns.

W3LL Panel is a major weapon and “one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection and other unique capabilities,” Group-IB researchers said in the report.

Adversary-in-the-middle phishing techniques proliferate and advance the capabilities of the phishing as a service ecosystem, Microsoft Threat Intelligence said in a post last week on X, the platform formerly known as Twitter.

“This development in the [phishing as a service] ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale,” Microsoft Threat Intelligence said in the thread on X.

The W3LL Panel phishing kit can be combined with 16 additional and fully integrated custom tools that enable threat actors to initiate BEC attacks, according to Group-IB.

“Phishing campaigns involving W3LL tools are highly persuasive and usually involve several W3LL-developed instruments that cover almost the entire killchain of BEC attacks, all the while providing a high level of automation and scalability,” the researchers said.

Threat actors could use compromised access to steal data, send fake invoices, impersonate account owners or distribute malware, the researchers warned.

More than half of the organizations targeted by the BEC campaigns observed by Group-IB are based in the U.S. Organizations in manufacturing, IT, financial services, consulting, healthcare and legal services were the most frequently targeted, according to Group-IB.

“The tools provided even demonstrate that, although useful, MFA is not a silver bullet when it comes to account takeovers due to credential theft,” Erich Kron, security awareness advocate at KnowBe4, said via email.

“When MFA bypasses are part of a standard fare being offered to lower-level cybercriminals, it shows that the technology is limited in its defense,” Kron said.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell