A new phishing-as-a-service (PaaS) tool, called ‘Greatness’, has been deployed to carry out phishing campaigns on Microsoft 365 accounts mainly in US manufacturing, healthcare, technology, and real estate sectors. Since mid-2022, the service has been used in several phishing campaigns in the UK, Australia, Canada, and South Africa. Cisco’s Talos Security team has identified this cybercrime service, which delivers Microsoft 365 phishing pages and provides affiliates with capabilities like IP filtering, multi-factor authentication (MFA) bypass, and integration with Telegram bots.
## PaaS affiliates and their phishing kit with API key
Affiliates of Greatness are provided with tools to create convincing login pages featuring the targeted organization’s logo and background image. The service’s phishing kit has an API key that enables affiliates to access more advanced features and acts as a proxy to Microsoft’s authentication system, stealing the victim’s credentials via a man-in-the-middle attack. During an attack, the victim gets a malicious email that contains an HTML attachment, which could be claiming to be a shared document. When the victim clicks on the attachment, JavaScript is executed, directing the browser to an attacker-controlled server, where the phishing page is retrieved, which contains a blurred image pretending to load up a document.
## Attack on Microsoft 365 login page
Once the victim is redirected to the legitimate-looking login page, they are asked to fill in their login credentials and MFA method if in use. The cybercrime service attempts to log in to the victim’s account using the provided credentials in the background. By collecting session cookies, they can complete the authentication process and collect the victim’s login information and send it to the PaaS affiliate via its Telegram channel. The Greatness phishing kit is deployed on the attacker’s controlled server, and it communicates with the PaaS API to forward stolen credentials to PaaS affiliates.
## Recommendations for the public and private sectors
Given the sophistication of the ‘Greatness’ phishing-as-a-service attack, it’s clear that the public and private sectors should prepare and strengthen their cybersecurity policies and security awareness training for employees. Regular security training sessions are essential to help employees recognize phishing threats before they suffer a malicious attack. The choice of multi-factor authentication (MFA) can also be a good defense mechanism in this regard, as it makes it much harder for attackers to access any account with stolen credentials. Emails should be screened thoroughly, attachments must be scanned beforehand, and links to unknown websites must be avoided. It’s also fundamental to stay alert for any suspicious activity and report it promptly.
<< photo by Mikhail Nilov >>
