Manufacturing businesses, healthcare organizations, and tech companies in English-speaking countries are the most targeted by phishers leveraging a relatively new phishing-as-a-service (PaaS) tool called Greatness, created to phish Microsoft 365 users.
According to Cisco researcher, this tool has been utilized in numerous phishing campaigns, with notable spikes in activity observed in December 2022 and March 2023.
The Greatness PaaS
Greatness is a PaaS tool/service specifically designed to compromise Microsoft 365 credentials.
It has three components:
- A phishing kit (containing the admin panel)
- The service API
- A Telegram bot or email address
The tool provides affiliates with an attachment and link builder, allowing them to create convincing decoy and login pages that are likely to fool unsuspecting users.
“It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page,” says Tiago Pereira, technical leder of security research at Cisco Talos.
“Working together, the phishing kit and the API perform a ‘man-in-the-middle’ attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA.”
The Telegram bot immediataly informs the attacker of a successful attack, so that they can react before the authenticated session times out (i.e., the cookies become invalid).
Phishing Microsoft 365 users
From the victim’s point of view, the attack begins with an email containing an HTML file attachment.
Upon opening the HTML file, obfuscated JavaScript code is executed within the victim’s web browser, establishing a connection with the attacker’s server and presenting the victim with a blurred image mimicking a loading page.
The blurred decoy page (Source: Cisco Talos)
Then the victim is redirected to a bogus Microsoft 365 login page, where their email address has already been entered. When they enter their password, the PaaS tool leverages its capabilities to connect to Microsoft 365 and attempts to log in by impersonating the victim.
“If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification),” Pereira says.
Once the authentication is successful, the API service retrieves the authentication session cookies and forwards them to the designated affiliate’s Telegram channel or email address. The phishers now have everything they need to access the victims’ Microsoft 365 account.