W3LL Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

September 11, 2023: A new phishing kit targets Microsoft 365 users and has successfully hijacked thousands of accounts, even those with multi-factor authentication (MFA) enabled. The kit, called W3LL, is being sold on the dark web and is designed to bypass MFA by using various techniques, such as spoofing the sender’s email address and using a legitimate-looking login page.

Once users click on a malicious link in a W3LL phishing email, they are taken to a fake login page that looks like the actual Microsoft 365 login page. If the user enters their credentials on the fake page, the attacker can steal them and use them to access their account.

Even if the user has MFA enabled, the W3LL phishing kit can still be successful. This is because MFA can be bypassed if the attacker can obtain the user’s phone number or security code. The W3LL phishing kit can also trick the user into disabling MFA.

Here are some actional and practical takeaways from the article:

Be wary of any emails that appear to be from Microsoft 365, even if they come from a contact you know.
Please do not click on links in emails unless you are sure they are legitimate.
Always check the URL of a page before entering your login credentials.
Keep your Microsoft 365 software up to date with the latest security patches.
Use a strong password for your Microsoft 365 account; do not share it with anyone.
Enable MFA for your Microsoft 365 account and keep your phone number and security code safe.

Here are some additional details about the W3LL phishing kit:

The kit is designed to target Microsoft 365 users, but it could be used to target users of other cloud-based services.
The kit is sold on the dark web for a few hundred dollars.
The kit is relatively easy to use, making it a popular choice for cybercriminals.
The kit has successfully hijacked thousands of accounts, even those with MFA enabled.

How to protect yourself from W3LL phishing kit: