Find notable cyber news and cases, enriched with sources, timelines, and signals.

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The W3LL phishing operation turned into a high-volume Microsoft 365 credential-theft campaign, exposing more than 17,000 victims worldwide to BEC risk. The kit used adversary-in-the-middle proxies to intercept passwords, MFA passcodes, and session cookies. That access could bypass MFA and let attackers enter mailboxes, monitor email, and redirect payments. The operation mattered because it combined phishing delivery with reusable access brokerage and post-compromise fraud.

Related Happenings

Pink new extortion brand within The Com

Threat Actor Meta
H score30 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Meta For Business Facebook Messenger fake-verification phishing campaign

Campaign
H score29 First: 07.07.2026 10:00 Last: 07.07.2026 10:00 Sources 1

About this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Service desk social engineering defenses tighten identity verification for password resets and MFA changes

Defensive Guidance
H score17 First: 24.06.2026 17:02 Last: 24.06.2026 17:02 Sources 1

About this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...

Timeline

  1. 13.04.2026 21:55 2 articles · 2mo ago

    W3LL Microsoft 365 adversary-in-the-middle campaign and coordinated takedown

    Campaign Scope Update

    On April 13, 2026, the FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized w3ll[.]store, ending a service that sold for $500 and used adversary-in-the-middle proxies to clone corporate login portals, intercept credentials, one-time MFA passcodes, and session cookies, and support business email compromise attacks against Microsoft 365 corporate accounts. The operation was linked to more than 17,000 victims worldwide and a marketplace that facilitated the sale of more than 25,000 compromised accounts, with stolen access also brokered through W3LLSTORE and encrypted messaging platforms.

    Show sources