A new report from cybersecurity services company Group-IB Global Pvt. Ltd. warns of a largely unknown threat actor that is running a “phishing empire” targeting Microsoft 365 accounts.

The group, called “W3LL,” runs a hidden underground market known as the W3LL Store that serves a closed community of at least 500 threat actors. On the store, the group sells a custom phishing kit called the W3LL Panel that is designed to bypass multifactor authentication, as well as 16 other customized tools for business email compromise or BEC attacks.

After finding the group and its tools, Group-IB’s researchers were then able to estimate that the tools had been used to target more than 56,000 corporate Microsoft 365 email accounts in the U.S., Australia and Europe between October 2022 and July 2023. Selling hacking tools is also a fairly lucrative business, with the researchers estimating that the W3LL Store’s turnover in the last 10 months was about $500,000.

Though it’s detailing the store only now, the Group-IB report notes that the threat actor is believed to have been around since 2017, starting with the launch of the W3LL SMTP sender, a customer tool for bulk email spam. The development of a phishing kit for targeted corporate Microsoft 365 accounts came later.

The Microsoft 365 phishing kit’s popularity led the group to launch its covert English-speaking underground marketplace in 2018. Over time, the marketplace has evolved into a fully sufficient BEC ecosystem offering a full spectrum of phishing services, including custom phishing tools and additional items such as mailing lists and access to compromised servers.

As of August, some of the tools in the store included SMTP senders PunnySender and W3LL Sender, a malicious link stager known as W3LL Redirect, a vulnerability scanner named OKELO and an automated account discovery instrument called CONTOOL.

“The W3LL phishing kit and the details of its business model signal the smoke before the coming wildfire of adversary-in-the-middle proxy attacks,” Pyry Åvist, co-founder and chief technology officer at enterprise security awareness solutions provider Hoxhunt Ltd., told SiliconANGLE. “AiTMs are the future of phishing because they’re extremely effective, hard to identify and detect and, most concerning, they are becoming easier to use.”

Åvist noted that because AiTMs are designed to bypass MFA, they have the potential to reduce the standalone effectiveness of MFA significantly.

“Such detailed insights into the W3LL phishing-as-a-service model helps us understand what we’re up against — a sophisticated criminal organization that operates like a business,” Åvist added. “Sometimes we forget that cybercrime is a multibillion-dollar industry, whose economics dictate most threat actors’ activities.”

Image: Bing Image Creator