RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: bec (2 articles)Clear
defense
2026-04-13

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

w3llphishingmicrosoft-365becaitmmfa-bypasslaw-enforcementfbi
Check
Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected
Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix
Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.
threat
2026-04-01

EvilTokens phishing kit commoditizes Microsoft device code attacks for business email compromise

A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.

microsoftoauthphishingdevice-codebecmfa-bypass
Check
Review your Microsoft Entra ID logs for unusual device code authentication flows, especially from unfamiliar locations or devices.
Affected
Any organization using Microsoft 365 with users who may click on phishing emails disguised as document-sharing notifications.
Fix
Restrict or disable the device code authentication flow in Microsoft Entra ID conditional access policies if your organization doesn't need it. Deploy phishing-resistant MFA (FIDO2 hardware keys). Train finance, HR, and sales teams to recognize fake document verification pages. Monitor for anomalous token grants in Entra ID sign-in logs.