The W3LL threat group has played a major role in compromising Microsoft 365 business email accounts for the past six years, according to new research.
In a blog post Sept. 6, Group-IB researchers reported that a mostly hidden underground market named W3LL Store served a closed community of at least 500 threat actors who could purchase a custom phishing kit called a W3LL Panel. The kit was designed to bypass multi-factor authentication (MFA) and also contained 16 other fully customized tools for business email compromise (BEC) attacks.
Group-IB researchers said that W3LL’s phishing tools were used to target more than 56,000 corporate Microsoft 365 accounts in the United States, Australia, and Europe between October 2022 and July 2023. Based on Group-IB’s rough estimates W3LL Store’s turnover for the last 10 months alone may have reached $500,000.
W3LL’s cybercriminal career was traced back to 2017, when it entered the market with W3LL SMTP Sender, a custom tool for bulk email spam. The W3LL Store opened in 2018.
In Wednesday’s blog, the Group-IB researchers outline just how organized this operation has become. It runs like a mainstream business: W3LL Store offers “customer support” through a ticketing system and live webchat. Cybercriminals who do not have the skills required to leverage the tools can watch video tutorials just like customers can for demos on legitimate products. And, W3LL Store has its own referral bonus program with a 10% commission on referrals and a reseller program with a 70-30 split on the profits made by third-party vendors from selling on W3LL Store, said Group-IB researchers.
The W3LL phishing kit, and the details of its business model, signal the smoke before the coming wildfire of adversary-in-the-middle (AiTM) proxy attacks, explained Pyry Avist, co-founder and CTO at Hoxhunt. Avist said these AiTMs are the future of phishing because they’re extremely effective, hard to identify and detect and, most concerning, they are becoming easier to use.
Humans still targeted in world of automation, AI
“AiTMs are designed to bypass MFA, and if proxy attacks like W3LL and EvilProxy become the norm, they’ll reduce the standalone effectiveness of MFA significantly,” said Avist. “Proxy attacks work by using a proxy server to intercept and modify traffic between the user and a legitimate website, so the attack itself can look and feel like a totally authentic experience.
Avist said while not impossible to spot and prevent, proxy attacks such as W3LL and EvilProxy require a well-trained workforce to serve as a lighthouse. Move past old-school security analysis tools and adopt a dynamic security behavior change program that focuses on accelerated phishing detection and response, Avist advised.
“As these targeted proxy attacks are designed to bypass email filters and MFA, more responsibility shifts to end users to be part of the citizen cyber-watch,” said Avist. “MFA is still very effective, but as threat actors get more advanced, organizations must respond proactively.”
Ken Westin, Field CISO at Panther Labs, said the Group-IB research pointed out that even in a world of automation, artificial intelligence and technology, the human still remains an important target for attackers. Westin said at the crux of BEC is deception: the ability to convince individuals that requests for money whether from a vendor, partner, or customer are real.
“When cybercriminals make money with a particular scheme it becomes a gold rush, and with any gold rush there’s a need to build a community and supply chain for tools, data and other resources,” said Westin. “I believe this is what we are seeing with the W3LL where we see tool frameworks and procedures being developed similar to what we have seen with ransomware groups, they are selling pick axes in a gold rush, decreasing the barrier to entry from a technical level and monetizing a very lucrative attack vector.”
Patrick Harr, chief executive officer at SlashNext, added that on any given day there are tens of thousands of BEC phishing emails in their threat databases that have bypassed other security tools, including Microsoft. Harr said many organizations do not have the security tools to detect BEC phishing attacks, and that’s why it’s a very lucrative business for cybercriminals, including this covert W3LL actor.
“Now with malicious chatbot tools, these types of BEC attacks are expected to grow in the coming year,” Harr said. “It’s important to invest in cybersecurity tools that use automation, machine learning, relationship graphs, and generative AI to quickly detect, predict and top BEC, as well as, spear-phishing which is typically the start of Microsoft 365 attack chain.”
