Phishing Group Targets Thousands of Microsoft 365 Accounts

A black market called "W3LL Store" provided threat actors with all the tools they needed to pull off targeted attacks.

Information on a well-organized phishing ring targeting Microsoft 365 corporate accounts came to light this week.

Security firm Group-IB released a report detailing a years-long investigation into a cyber threat group that had built an underground market called "W3LL Store" to sell custom phishing kits to a closed community of online thieves.

The main tool for purchase on the black market was "W3LL Panel," a kit of custom software aimed at bypassing multifactor authentication protections and tools to leverage business email compromise attacks. Group-IB estimates that the custom tools were used to target more than 56,000 Microsoft 365 accounts between the period of October 2022 and July 2023. During that time, Group-IB estimates that the W3LL Store had generated over $500,000 through its market.

"The most often targeted industries are manufacturing, IT, financial services, consulting, healthcare and legal services," read the report. "After compromising a target, threat actors may employ various scenarios to benefit from the attack: data theft, fake invoice scam, email owner impersonation or use the business email for malware distribution."

The firm said that their security team monitoring the malicious activity found 8,000 Microsoft 365 accounts were successfully infiltrated. However the "actual number of victims and the final impact could be even more far-reaching."

In a breakdown of how the threat actors used the custom phishing tools, every attack followed a similar pattern. First the attacker would gain a list of possible victims' emails. The attacker would then run that list through the W3LL custom email validator tool. Once the list of victims has been verified, the attacker would use additional tools obtained on the W3LL Store, including phishing kits and link stagers, to create the phishing lure, typically in the form of a malicious email containing harmful links or attachments.

"Once the victim has downloaded and accessed an attachment, a new blank browser window opens with a genuine-looking MS Outlook animation designed to make the victim think that the action is legitimate," said Group-IB. "What the phishing attachment actually does is load a W3LL Panel phishing page in the newly opened window."

The phishing toolkit then employs a technique called Adversary-in-the-Middle (AitM) to collect both authenticated session cookies and standard login credentials. After the infiltration, an attacker can access a victim's email through stolen credentials or by using an authenticated session cookie.

With access to the email the attacker could then conduct further cyberattacks, including data theft, professional service impersonation, malware distribution or VIP fraud.

"Regardless of the scheme chosen by the threat actors, the overall impact on a company that has suffered BEC attack can include financial loss (from several thousand up to several million euros), data leaks, reputational damage, claims for compensation and even lawsuits."

To limit the risk to enterprises from those using the W3LL Panel of tools and other phishing campaigns, Group-IB recommends IT harden their security by implementing FIDO 2.0 authentication solutions, enforcing stricter access policies (including IP whitelisting of trusted devices), deploying additional email protecting solutions and reviewing key security procedures and policies with employees.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube