W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The W3LL phishing operation turned into a high-volume Microsoft 365 credential-theft campaign, exposing more than 17,000 victims worldwide to BEC risk. The kit used adversary-in-the-middle proxies to intercept passwords, MFA passcodes, and session cookies. That access could bypass MFA and let attackers enter mailboxes, monitor email, and redirect payments. The operation mattered because it combined phishing delivery with reusable access brokerage and post-compromise fraud.
Related Happenings
Pink new extortion brand within The Com
Threat Actor Meta
H score30
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Meta For Business Facebook Messenger fake-verification phishing campaign
Campaign
H score29
First: 07.07.2026 10:00
Last: 07.07.2026 10:00
Sources 1
About this happening:
A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Meta For Business Facebook Messenger fake-verification phishing campaign
CampaignAbout this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive Guidance
H score17
First: 24.06.2026 17:02
Last: 24.06.2026 17:02
Sources 1
About this happening:
**Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive GuidanceAbout this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
Timeline
-
13.04.2026 21:55 2 articles · 2mo ago
W3LL Microsoft 365 adversary-in-the-middle campaign and coordinated takedown
Campaign Scope UpdateOn April 13, 2026, the FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized w3ll[.]store, ending a service that sold for $500 and used adversary-in-the-middle proxies to clone corporate login portals, intercept credentials, one-time MFA passcodes, and session cookies, and support business email compromise attacks against Microsoft 365 corporate accounts. The operation was linked to more than 17,000 victims worldwide and a marketplace that facilitated the sale of more than 25,000 compromised accounts, with stolen access also brokered through W3LLSTORE and encrypted messaging platforms.
Show sources
- FBI takedown of W3LL phishing service leads to developer arrest — www.bleepingcomputer.com — 13.04.2026 21:55
- FBI takedown of W3LL phishing service leads to developer arrest — www.bleepingcomputer.com — 13.04.2026 21:55