Microsoft 365 MFA Cracked: Are You at Risk from W3LL Hackers?


This Week in IT, is your Microsoft 365 tenant vulnerable to the W3LL Phishing attack that bypasses MFA? Stay tuned as I look at the risks and how to protect your users. Plus, get the latest updates on Windows 365 and OneDrive, and there are major changes coming to Outlook and printer support in Windows.


This week in IT, is your Microsoft 365 tenant vulnerable to the W3LL phishing attack that bypasses multi-factor authentication? Stay tuned as I look at how it works and how you can protect your users. Plus get the latest updates on Windows 365 and OneDrive and there are major changes coming to Outlook and printer support in Windows.

Welcome to This Week in IT where I cover the latest news on Windows and Microsoft 365. Before I get started, I’d like to ask you a quick favour. About 84% of the people who watched last week’s video weren’t subscribed to the channel so I’d really love it if we could get the subscriber count up to about 650 this week or on 600 as we go live with this video. So I’d really appreciate it if you’d subscribe to the channel and hit the bell notification to make sure you don’t miss out on the latest uploads. So there was some interesting research published this week by Group IB. The W3LL phishing software has been targeting Microsoft 365 accounts since around last October. Now the malware has targeted around 56,000 accounts and they’ve managed to successfully compromise 8,000 of them so that’s a success rate of around 14% so it’s really high.

And they’ve got around 850 phishing websites that they’re able to send information back to. So this is a network with about 500 cyber criminals and the actual software is called W3LL panel. So this is the payload that actually ends up running on the end user device. So the hackers are using email lists and various validation and phishing tools to send malicious emails to their targets and then they persuade the end user to open an attachment which runs some kind of outlook animation that looks genuine to the user but ultimately what it’s doing is running the W3LL panel software on the end user device. Now of course the user is already logged into Microsoft 365 otherwise they wouldn’t be able to open the email and download the attachment and that means there is a session cookie in the browser that has already provided authentication and authorization to the Microsoft 365 services. So this panel software is then able to take that cookie and send it back to one of the phishing websites where the hacker can get hold of it and then essentially take it and log into Microsoft 365.

They don’t need a username password but worst of all they don’t need to pass multi-factor authentication which would usually be the sticking point for the hacker. How do you get past that? This is quite a scary attack because you’d think that MFA well that pretty much gives me some kind of bulletproof protection but now researchers have shown that actually that may not be the case. So researchers are calling this the pass the cookie technique. So we’ve had in the pass pass the NTLM hash, pass the Kerberos token and now we have passed the cookie. Of course a cookie is essentially just a text file and there’s plenty of malware already using this like Emotet and Raccoon Stealer and red teaming software like Metasploit are able to actively demonstrate how this can be used in practice. So the question is what do you do about this when you thought that your users were fully protected with MFA? Now Mimecast have come up with several recommendations. So the first is that you should be monitoring login activity in Microsoft 365 for any unusual behavior.

That you should regularly ask users to reset passwords and make sure that you enforce MFA despite the fact that this attack is obviously able to bypass that. Train your employees to make sure they’re able to identify any unusual requests and this is not from Mimecast but I’m wondering whether conditional access policy and continuous access evaluation would mitigate this in some circumstances. So for instance imagine that you’ve got a user in the US and attacker is able to get hold of their session cookie for Microsoft 365 and tries to log in in a European country. It might be that if you have conditional access policies and continuous evaluation of them enabled, I don’t know that situation might be mitigated but Microsoft and frustratingly for some security researchers at the moment is not saying anything about how you might protect your users and a lot of the research community believe that Microsoft should already be speaking about what is it that you can do to protect your users because ultimately it’s their systems that are being targeted. So it might be that I’m wrong about conditional access policies and that they don’t really provide any protection at all. I don’t know the answer to that definitely but maybe Microsoft is a little bit afraid at this stage to come out and say well yeah all of these advanced protections that you have to pay extra for don’t really provide much protection against this kind of attack. I don’t know we have to wait to see what Microsoft says about this but regardless Microsoft is remaining silent right now you need to make sure that you’re looking out for this kind of attack. This week is patch Tuesday. I’m going to go over it just very briefly.

There were 65 vulnerabilities fixed. There are some things that you should watch out there for also in Microsoft Office. The biggest thing for IT administrators is the new controls for Windows Update which I did mention I think in last week’s video or the week before because they were part of the optional update that came at the end of August. But basically you get a new control for Windows Update and when it’s enabled IT admins get three different options regarding Windows updates on managed devices. So you can allow the device to automatically receive optional updates

with or without controlled feature rollouts or you can allow the end users to decide which updates they’re going to receive. There’s also a new flyout that appears when you hover over search on the taskbar but that can be disabled in settings. Microsoft 365 released the enhanced app experience which works on Motorola Think phones only I believe at this stage and what this provides is a continuum like experience if you remember back to Windows Phone. So what this does essentially is it has an app on the Android device which allows you to access your Windows 365 cloud PC and if you connect that device your phone to an external screen and a keyboard and mouse you can open the Windows 365 app and then access your full desktop on that external monitor essentially. Now I’m guessing that this is really aimed at frontline workers and enterprises that have a specific use case for this because in my experience it’s not a replacement for a notebook or a laptop because of course you’ve got to have access to a screen and hardware and of course the consumer is not really going to be very interested in having to pay for a Windows 365 license. OneDrive is getting offline support. Of course I’m talking about the website, the OneDrive website, so you’ll be able to do things like copy, delete, move, rename files all while you’re offline and any changes that you make will then be synchronized when you come back online and any files that are marked always available offline you’ll be able to access them when you don’t have an internet connection.

Now, I use the OneDrive sync client on my PC so I don’t really have a great use for this but I know that not everybody does. Some people are using the website, probably most people are using the website to be honest, so this is great for them. It’s coming in preview in November and Microsoft is planning general availability in December this year. Teams is getting inline search so I think this only applies to the new client and I’m really excited about this because I’m a bit weird but one of the pet peeves I’ve always had about search, at least definitely in the new client, is that if you use the search box at the top it doesn’t search in the context of the current chat or channel that I’m in.

So, that’s a bit frustrating because usually I’m in a chat or a channel and I want to search it but no I’m going to search my entire Microsoft 365 tenant. In the past you could narrow down that search a little bit by using kind of slack style commands if you like to limit the search in the search box but that for whatever reason hasn’t been rolled across into the new team’s client. I don’t know whether Microsoft is planning to do that but this is even better I think. So if you want to search inline for the current chat or the current channel, now all you need to do is press ctrl f or command f on a mac and you get a separate search dialogue that pops out or I think slides in from the side and you’ll be able to search just that particular channel. Now I found out about this because in the new client Microsoft at the end of each month is giving you a rundown of all the changes or all the important changes that were made in the previous month and actually found out by chance that this was now a feature but that’s great news for making search a lot easier I think in teams.

PowerShell Crescendo has got a minor update so it’s now version 1.1 and what this is is basically a framework, a tool set that allows you to create PowerShell commandlets that wrap up an existing or the functionality of an existing command line tool. So something that isn’t PowerShell but that you use from the command line. So why is this interesting? So what it does is it allows you to take some kind of clunky command line tool and give it all that PowerShell goodness, you know the object orientation and all those cool things that you can do with PowerShell that you can’t do with most command line tools. So if there’s something that you use on a regular basis as a system administrator do check out this framework and how you can use it to hopefully make your life a lot easier when you’re automating tasks for your work. Microsoft have released a few details about how they’re going to roll out the new Outlook client.

So, this is the client or one outlook as the kind of I think codename for it was that is based on Microsoft WebView 2. So this is available in preview you can choose to use it if you want it’s not really quite ready yet so I wouldn’t recommend that it’s something that you roll out to your users at this stage but Microsoft has said that they’re planning to roll this out over the next couple of years. It’s going to replace the mail and calendar apps in Windows and commercial customers are going to get a one-year advance notice of these changes and the idea is that for most users Microsoft is hoping that the new client will be able to replace the legacy Outlook application. Of course at this stage at least there are various things that it’s not able to do there’s a lot of advanced functionality, com add-ins and all that kind of thing but from what I’ve seen of it it’s looking quite good a little bit frustrating that it doesn’t work quite the same as Outlook on a mobile device in that you still have to see all of your added email accounts as separate inboxes you can’t combine them like you can on mobile which I find a little bit frustrating but well you know people are saying why would you use this instead of just you know logging onto the website well the main reason that you would use it is that you can see all of your email accounts in one place rather than having to open up Gmail, open up Hotmail, open up Microsoft 365 all in separate browser windows with this app you get to see them all in one view.

This month Microsoft also announced their dispensing of third-party printer driver support via Windows update. Now you will know over the last few years there have been so many security issues created by third-party printer drivers you know they’re real pain for everybody and Microsoft is saying that they’re going to be shifting support for printers over to printer support apps that will be distributed essentially via the Microsoft store. Now there’s also some interesting technical details here which I wasn’t really aware of but with the release of Windows 10 21 H2 Microsoft supports the Mopria I believe that’s the right way to pronounce it compliance printer devices essentially so this is an open standard where you can get your printer drivers via USB interfaces or the network and the Microsoft IPP class driver so it essentially removes the need for manufacturers to provide their own third-party printer drivers and if you want to allow some kind of customization of the device you can provide that via your printer support app through the Microsoft store.

So, Microsoft has said that they’re implementing these changes over the next few years and they will continue to support printer drivers that are already in the Windows update system until 2026 and that includes providing any security updates for drivers that are already supported on supported versions of Windows. If you found this video useful I’d really appreciate it if you gave it a like because it helps to get the video seen by more people on YouTube. Don’t forget to subscribe to the channel and hit the bell notification if you’d like to get these updates every week. I’m going to leave you now with another video on the screen that you might find interesting but that’s it from me for this week and I’ll see you next time.