Wednesday, May 7, 2025
HomeCyber AttackResearchers Uncover Phishing Empire Attacking 56,000+ Microsoft 365 Accounts

Researchers Uncover Phishing Empire Attacking 56,000+ Microsoft 365 Accounts

Published on

SIEM as a Service

Follow Us on Google News

Recent reports indicate that a new threat actor named “W3LL” has been discovered running a large phishing empire completely hidden until now. It was also found that this threat actor played a major role in compromising Microsoft 365 business email accounts over the past few years. 

Furthermore, the threat actor was also running a hidden underground market with the name “W3LL Store” that served a phishing kit called “W3LL panel” and 16 other fully customized tools that can be used for Business Email Compromise (BEC) Attacks.

Evolution of W3LL

As per the reports shared with Cyber Security News, this cybercriminal actor has been active since 2017, when they built their first tool, W3LL SMTP Sender, which was used for bulk email spam. They further developed their version of the phishing kit for targeting corporate Microsoft 365 accounts and opened their own Marketplace W3LL Store in 2018.

- Advertisement - Google News

W3LL stores have been reported to have more than 500 active users with more than 3800 items sold, and their revenue is estimated to be half a million dollars over the past 10 months.

Phishing Kit subscription – $500

W3LL Panel is their greatest tool that has one of the most advanced phishing kits in class, which also features adversary-in-the-middle functionality, API, source code protection, and other unique capabilities.

Many sophisticated threat actors currently use a three-month phishing kit subscription for $500 due to its high efficiency. Every copy of the W3LL Panel must be enabled via token-based authentication to prevent reselling and source code stealing.

More than 850 unique websites were found to be attributed to the W3LL Panel, and threat actors used this tool to initiate a Business Email Compromise Attack with over 56,000 corporate Microsoft 365 business accounts, and more than 8,000 (about 14.3%) of them ultimately compromised.

“W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones, which underlines the importance of staying up-to-date with the most recent changes in their TTPs.” reads the post by Group-IB.

Group IB has published a complete report about this threat actor, providing detailed information about the tools being sold, indicators of compromise, Geography of operations, and much more.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Mirai Botnet Actively Targeting GeoVision IoT Devices for Command Injection Exploits

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command...

IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its...

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify...

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Mirai Botnet Actively Targeting GeoVision IoT Devices for Command Injection Exploits

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command...

IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its...

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify...