W3LL behind phishing attack on over 56,000 Microsoft 365 business accounts: Group-IB

Group-IB, a global cybersecurity leader headquartered in Singapore, has uncovered that a company named W3ll has played a major role in compromising Microsoft 365 business email accounts over the past six years.

In a new threat report "W3LL Done: Hidden Phishing Ecosystem Driving BEC Attacks" published on Wednesday (6 September), Group-IB details the operations of W3LL, a threat actor behind a phishing empire that has remained largely unknown until now.

The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customised tools for business email compromise (BEC) attacks, reads the report.

Group-IB's Threat Intelligence and Cyber Investigations teams identified that W3LL's phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the USA, Australia, and Europe between October 2022 and July 2023.

All the information collected by Group-IB's cyber investigators about W3LL has been shared with relevant law enforcement organisations.

The report also traced W3LL's cybercriminal career back to 2017 when they entered the market with W3LL SMTP Sender – a custom tool for bulk email spam. Later, W3LL developed and started selling their version of a phishing kit for targeting corporate Microsoft 365 accounts.

The growing popularity of the convenient toolset prompted the threat actor to venture into opening a covert English-speaking underground marketplace. The W3LL store began operations in 2018. Over time, the platform evolved into a fully sufficient BEC ecosystem offering an entire spectrum of phishing services for cybercriminals of all levels, from custom phishing tools to supplementary items such as mailing lists and access to compromised servers.

W3LL Store provides "customer support" through a ticketing system and live webchat. Cybercriminals who do not have the skills required to leverage the tools can watch video tutorials. W3LL Store has its own referral bonus program (with a 10% commission on referrals) and a reseller program (with a 70/30 split on the profits made by third-party vendors from selling on W3LL Store).

At present, the W3LL store has more than 500 active users. To become a W3LL store customer, newcomers need to be referred by existing members. New users have 3 days to make a deposit to their balance, otherwise their account will be deactivated. The developer does not advertise the W3LL store and asks their customers to refrain from spreading the word about it online. Group-IB identified over 3,800 items sold via the marketplace between October 2022 and July 2023. Over 12,000 items are currently on sale. W3LL's Store's turnover for the last 10 months was estimated to be $500,000.