Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: bec (3 articles)Clear

HIBP confirms 248,000 accounts from ShinyHunters breach of advisory firm CFGI

Have I Been Pwned has added 248,235 accounts from the March breach of CFGI, a US accounting and financial-advisory firm that works closely with corporate finance teams at mid-market and Fortune 500 companies. The extortion group ShinyHunters claimed the intrusion, posting hundreds of thousands of records including names, emails, phone numbers, and home addresses, along with internal corporate documents and identity-system metadata. Because CFGI sits inside its clients' finance functions, the stolen contact and relationship data is unusually useful for convincing business email compromise and client-impersonation scams aimed at authorizing fraudulent payments.

Check
If you work with or for CFGI, check Have I Been Pwned for your email and watch for finance-themed phishing, fake wire instructions, or audit-document requests referencing CFGI.
Affected
CFGI employees, clients, and contacts whose personal and corporate data was exposed (248,235 accounts confirmed); the firm's finance-function clients face elevated business email compromise risk.
Fix
Reset and stop reusing CFGI-related credentials, enable phishing-resistant MFA, and verify any unexpected payment, wire, or account-change request through a known, pre-established voice channel rather than email links.

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

Check
Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected
Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix
Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.

EvilTokens phishing kit commoditizes Microsoft device code attacks for business email compromise

A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.

Check
Review your Microsoft Entra ID logs for unusual device code authentication flows, especially from unfamiliar locations or devices.
Affected
Any organization using Microsoft 365 with users who may click on phishing emails disguised as document-sharing notifications.
Fix
Restrict or disable the device code authentication flow in Microsoft Entra ID conditional access policies if your organization doesn't need it. Deploy phishing-resistant MFA (FIDO2 hardware keys). Train finance, HR, and sales teams to recognize fake document verification pages. Monitor for anomalous token grants in Entra ID sign-in logs.