The W3LL Store is a hidden underground market that sells a custom phishing kit called W3LL Panel, designed to bypass multi-factor authentication (MFA) and compromise Microsoft 365 accounts. The W3LL Store is operated by a threat actor who has been active since 2017 and has developed various tools for bulk email spam and business email compromise (BEC) attacks.
According to a report by Group-IB, a cybersecurity company, the W3LL Store has served a closed community of at least 500 threat actors who have targeted more than 56,000 corporate Microsoft 365 accounts in 10 countries between October 2022 and July 2023. The phishing infrastructure is estimated to have netted its operators $500,000 in illicit profits.
The W3LL Panel is one of the most advanced phishing kits in its class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities. The W3LL Panel does not have a variety of fake pages and it was designed to compromise Microsoft 365 accounts specifically.
The W3LL Panel works by sending phishing emails or messages with malicious links or attachments to the potential victims. The links or attachments lead to a phishing landing page that mimics the Microsoft 365 login page. However, unlike typical phishing pages, the W3LL Panel uses an adversary-in-the-middle (AiTM) technique to siphon the credentials and session cookies of the victims in real time, without raising any suspicion or triggering MFA.
Once the threat actor gains access to the target’s Microsoft 365 account, they can use another custom tool called CONTOOL to automate account discovery on the host and harvest emails, phone numbers, and other information. The threat actor can then use this information to launch further attacks, such as impersonating the victim, requesting money transfers, stealing sensitive data, or spreading malware.
The W3LL Store is an example of how phishing-as-a-service (PhaaS) platforms are becoming more prevalent and sophisticated in the cybercrime landscape. PhaaS platforms offer an entire spectrum of services ranging from custom phishing tools to mailing lists and access to compromised servers. These platforms lower the entry barrier for aspiring cybercriminals and enable them to launch large-scale and targeted phishing campaigns with minimal effort and cost.
To protect themselves from phishing attacks, users should always be vigilant and cautious when opening emails or messages from unknown or suspicious sources. Users should also avoid clicking on links or attachments that ask for their credentials or personal information. Users should also enable MFA on their accounts whenever possible and use strong and unique passwords for different services.