Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365 accounts

A cybercrime group developed and sold phishing software that attackers deployed over the past 10 months in attempts to compromise an estimated 56,000 Microsoft 365 accounts, researchers with Group-IB said Wednesday.

The previously undocumented group that Group-IB identified as “W3LL” has been active since 2017 and has “created their own private ecosystem of highly effective phishing tools for compromising corporate email accounts,” the researchers said in a sprawling report.

It appears that hackers successfully compromised roughly 8,000 of the corporate Microsoft email accounts using the phishing kits, the researchers found. Group-IB notified all relevant law enforcement agencies of its findings, the company said.

W3LL also generated at least $500,000 in sales of their cybercrime toolkit. The group’s marketplace, the “W3LL Store,” brings “together a closed community of threat actors who buy and use W3LL tools to compromise corporate email accounts and carry out [business email compromise] attacks,” the researchers said.

Business email compromise, or BEC, scams is a costly and all-too-common type of fraud in which cybercriminals attempt to trick victims into sending money or divulging confidential corporate information. It’s consistently one of the most lucrative forms of cybercrime, even if it doesn’t get nearly as much attention as ransomware. These scams topped $2.7 billion in losses in 2022, according to the FBI’s 2022 internet crime report. BEC “exposed dollar losses” — which includes actual and attempted losses, according to the FBI — topped $43.3 billion worldwide between October 2013 and December 2021, the FBI said in May 2022.

Group-IB researchers detailed W3LL’s 16 “fully customized tools entirely compatible with each other,” according to the report, with the analysis of the group’s Telegram chats and the digital infrastructure associated with the group’s phishing campaigns.

“By analyzing the infrastructure and examining W3LL Store, we estimated the number of threat actors who use W3LL’s tools for BEC-focused phishing campaigns as well as the number of their potential targets together with the damages caused, which amount to hundreds of thousands, if not millions, of euros per victim,” the researchers said.

The analysis identified at least 858 unique phishing websites connected to W3LL tools. Most of the targets are in the U.S., U.K., Australia, Germany, France, Italy, Switzerland and the Netherlands and span multiple industries, including manufacturing, IT, financial services healthcare and others.

Attackers using the tools benefit from successful compromises in a variety of ways, the researchers said, including data theft, fake invoice scams, email owner impersonation or by using the business email for further malware distribution.

The W3LL Store “offers managed phishing solutions for criminals of any level of skill who want to carry out BEC phishing campaigns: compromised email accounts, lists of victim emails, access to compromised servers and websites, custom phishing lures, VPN accounts, phishing kits, and more,” the researchers said.

To use the W3LL marketplace, existing users must refer new customers. Then, they need to sign up for a three-month subscription for $500 and renew for $150 per month after that. One of the main tools for managing attacks, the W3LL Panel, requires attackers to authenticate each deployed phishing page through the panel, which then generates a unique token, according to the research, or the phishing page will not work. This tactic is likely to prevent vendors from reselling the phishing kit and related items such as other tools and lists of business domaines, the researchers speculated.

“W3LL Store is a hidden underground marketplace offering managed phishing solutions for cybercriminals of any level of skill who want to conduct BEC phishing campaigns,” the researchers concluded. The sophistication of the tools and their extensive interoperability lower the bar to entry, so “cybercriminals can start and manage their phishing campaigns and stock up in W3LL Store alone, which makes it a phishing ecosystem for cybercriminals of all levels.”