Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The W3LL phishing operation turned into a high-volume Microsoft 365 credential-theft campaign, exposing more than 17,000 victims worldwide to BEC risk. The kit used adversary-in-the-middle proxies to intercept passwords, MFA passcodes, and session cookies. That access could bypass MFA and let attackers enter mailboxes, monitor email, and redirect payments. The operation mattered because it combined phishing delivery with reusable access brokerage and post-compromise fraud.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

Infostealer malware operation targeting online store users

Malware Activity
First: 21.05.2026 00:36 Last: 21.05.2026 00:36 Sources 1

About this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

Timeline

  1. 13.04.2026 21:55 2 articles · 1mo ago

    W3LL Microsoft 365 adversary-in-the-middle campaign and coordinated takedown

    Campaign Scope Update

    On April 13, 2026, the FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized w3ll[.]store, ending a service that sold for $500 and used adversary-in-the-middle proxies to clone corporate login portals, intercept credentials, one-time MFA passcodes, and session cookies, and support business email compromise attacks against Microsoft 365 corporate accounts. The operation was linked to more than 17,000 victims worldwide and a marketplace that facilitated the sale of more than 25,000 compromised accounts, with stolen access also brokered through W3LLSTORE and encrypted messaging platforms.

    Show sources
    Open in new tab