The FBI Just Busted a Global Phishing Empire Targeting Microsoft 365 Accounts—Here’s How They Beat MFA

Some 17,000 victims were targeted by a global phishing operation that captured credentials and bypassed multi-factor authentication.

BY CHLOE AIELLO, REPORTER @CHLOBO_ILO

Illustration: Getty Images

The FBI has taken out a global phishing operation that targeted at least 17,000 victims and likely more than $20 million in fraud.

Called W3LL, the operation involved a “phishing kit,” according to an FBI announcement. For $500, criminals could purchase the kit, which allowed them to impersonate the login pages of legitimate websites. That enabled them to steal credentials and even bypass multi-factor authentication (MFA).

“This wasn’t just phishing—it was a full-service cybercrime platform,” Marlo Graham, FBI Atlanta special agent in charge, said in a statement. “We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.”

The kit was originally available on a cybercrime marketplace called W3LL Store. Although the FBI noted that the marketplace ceased operating in 2023, criminals could still find the phishing kit through encrypted messaging channels. The FBI said in a statement that some 17,000 victims, roughly half of them U.S.-based, were targeted just between 2023 and 2024. An FBI spokesperson clarified that estimates of financial repercussions came through victim reporting and the Internet Crime Complaint Center, and that the fraud likely amounts to more than $20 million.

MODERN CEO EMMA GREDE Final INC Site

Singapore-based cybersecurity firm Group-IB was the first to identify the threat, publishing a report on what it described as a “phishing empire” in 2023. The firm noted that the threat actor behind W3LL had been operating since at least 2017. Microsoft 365 accounts were the primary target of the kits, and some 56,000 corporate accounts across the U.S., Australia, and Europe were targeted within a nine month period in 2022 and 2023.

The report also shed light on the now-defunct W3LL Store, which reportedly offered “an entire spectrum of phishing services for cybercriminals of all levels, from custom phishing tools to supplementary items such as mailing lists and access to compromised servers” and served at least 500 bad actors. The marketplace even offered customer support and video tutorials for criminals who were not savvy enough to use the tools on their own, according to the firm. Group-IB stated that consequences for victims include financial losses ranging from thousands to millions of dollars, as well as data leaks, and reputational damage.

To make the bust, the FBI’s Atlanta Field Office worked with the Indonesian National Police. Together, they identified the alleged developer, referred to in the announcement only as G.L., and seized infrastructure and domains that propped up the phishing operation. Authorities credit their actions with cutting off a major resource for cybercriminals.

Phishing is a well-known cybercrime tactic in which criminals impersonate legitimate individuals or organizations to extract sensitive information from victims including account credentials, and credit card information, according to Microsoft. Phishing schemes can sometimes be identified through grammatical and spelling errors in what should be legitimate communications, subtle changes in domain names, suspicious links or attachments, and messaging imbued with a sense of urgency, such as “open immediately.”

In the event you’ve identified a phishing attempt, Microsoft recommends flagging the suspicious communication to IT immediately, changing all relevant passwords, activating MFA (if it isn’t already), and monitoring accounts.

Weekly roundup of the latest in tech news

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© Inc.com

visit website