{"id":1666,"date":"2023-09-06T08:00:00","date_gmt":"2023-09-06T08:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=76852"},"modified":"2023-09-06T08:00:00","modified_gmt":"2023-09-06T08:00:00","slug":"researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/09\/06\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts\/","title":{"rendered":"Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365 accounts"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365 accounts | CyberScoop<\/title> <meta name=\"description\" content=\"Hackers compromised roughly 8,000 of those accounts with tools a cybercrime group known as W3LL sold through its underground marketplace.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/phishing-w3ll-microsoft-365-fraud\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365 accounts\"> <meta property=\"og:description\" content=\"Hackers compromised roughly 8,000 of those accounts with tools a cybercrime group known as W3LL sold through its underground marketplace.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/phishing-w3ll-microsoft-365-fraud\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-09-06T08:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-09-05T21:04:40+00:00\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1693959706g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1693499496g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1693525727g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7af46db108fbc62fdcc9\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/76852\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=76852\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fphishing-w3ll-microsoft-365-fraud%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fphishing-w3ll-microsoft-365-fraud%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-76852 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/phishing-w3ll-microsoft-365-fraud\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.323529411765\">\n<div class=\"single-article__header-content\" readability=\"31.667870036101\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Hackers compromised roughly 8,000 of those accounts with tools that a cybercrime group known as W3LL sold through its underground marketplace. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/researchers-identify-high-grade-phishing-kits-attacking-nearly-60000-microsoft-365-accounts-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (SEAN GLADWELL\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"52.919271418934\"><body readability=\"106.24493641074\"><\/p>\n<p>A cybercrime group developed and sold phishing software that attackers deployed over the past 10 months in attempts to compromise an estimated 56,000 Microsoft 365 accounts, researchers with Group-IB said Wednesday.<\/p>\n<p>The previously<strong> <\/strong>undocumented group that Group-IB identified as \u201cW3LL\u201d has been active since 2017 and has \u201ccreated their own private ecosystem of highly effective phishing tools for compromising corporate email accounts,\u201d the researchers said in <a href=\"https:\/\/www.group-ib.com\/resources\/research-hub\/w3ll-phishing\/?utm_source=press_release&amp;utm_campaign=w3ll-report&amp;utm_medium=organic\">a sprawling report<\/a>. <\/p>\n<p>It appears that hackers successfully compromised roughly 8,000 of the corporate Microsoft email accounts using the phishing kits, the researchers found. Group-IB notified all relevant law enforcement agencies of its findings, the company said.<\/p>\n<p>W3LL also generated at least $500,000 in sales of their cybercrime toolkit. The group\u2019s marketplace, the \u201cW3LL Store,\u201d brings \u201ctogether a closed community of threat actors who buy and use W3LL tools to compromise corporate email accounts and carry out [business email compromise] attacks,\u201d the researchers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Business email compromise, or BEC, scams is a costly and all-too-common type of fraud in which cybercriminals attempt to trick victims into sending money or divulging confidential corporate information. It\u2019s consistently one of the most lucrative forms of cybercrime, even if it doesn\u2019t get nearly as much attention as ransomware. These scams topped $2.7 billion in losses in 2022, according to the <a href=\"https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2022_IC3Report.pdf\">FBI\u2019s 2022 internet crime<\/a> report. BEC \u201cexposed dollar losses\u201d \u2014&nbsp;which includes actual and attempted losses, according to the FBI \u2014&nbsp;topped $43.3 billion worldwide between October 2013 and December 2021, <a href=\"https:\/\/www.ic3.gov\/Media\/Y2022\/PSA220504\">the FBI said in May 2022<\/a>.<\/p>\n<p>Group-IB researchers detailed W3LL\u2019s 16 \u201cfully customized tools entirely compatible with each other,\u201d according to the report, with the analysis of the group\u2019s Telegram chats and the digital infrastructure associated with the group\u2019s phishing campaigns. <\/p>\n<p>\u201cBy analyzing the infrastructure and examining W3LL Store, we estimated the number of threat actors who use W3LL\u2019s tools for BEC-focused phishing campaigns as well as the number of their potential targets together with the damages caused, which amount to hundreds of thousands, if not millions, of euros per victim,\u201d the researchers said.<\/p>\n<p>The analysis identified at least 858 unique phishing websites connected to W3LL tools. Most of the targets are in the U.S., U.K., Australia, Germany, France, Italy, Switzerland and the Netherlands and span multiple industries, including manufacturing, IT, financial services healthcare and others. <\/p>\n<p>Attackers using the tools benefit from successful compromises in a variety of ways, the researchers said, including data theft, fake invoice scams, email owner impersonation or by using the business email for further malware distribution. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The W3LL Store \u201coffers managed phishing solutions for criminals of any level of skill who want to carry out BEC phishing campaigns: compromised email accounts, lists of victim emails, access to compromised servers and websites, custom phishing lures, VPN accounts, phishing kits, and more,\u201d the researchers said.<\/p>\n<p>To use the W3LL marketplace, existing users must refer new customers. Then, they need to sign up for a three-month subscription for $500 and renew for $150 per month after that. One of the main tools for managing attacks, the W3LL Panel, requires attackers to authenticate each deployed phishing page through the panel, which then generates a unique token, according to the research, or the phishing page will not work. This tactic is likely to prevent vendors from reselling the phishing kit and related items such as other tools and lists of business domaines, the researchers speculated.<\/p>\n<p>\u201cW3LL Store is a hidden underground marketplace offering managed phishing solutions for cybercriminals of any level of skill who want to conduct BEC phishing campaigns,\u201d the researchers concluded. The sophistication of the tools and their extensive interoperability lower the bar to entry, so \u201ccybercriminals can start and manage their phishing campaigns and stock up in W3LL Store alone, which makes it a phishing ecosystem for cybercriminals of all levels.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.35\">\n<div class=\"author-card\" readability=\"8\">\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/phishing-w3ll-microsoft-365-fraud\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,781,60,908],"tags":[286,786,67,909],"class_list":["post-1666","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-group-ib","category-phishing","category-w3ll","tag-cybercrime","tag-group-ib","tag-phishing","tag-w3ll"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/group-ib\/\" rel=\"category tag\">Group-IB<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/w3ll\/\" rel=\"category tag\">W3LL<\/a>","tag_info":"W3LL","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1666","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1666"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1666\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}