Microsoft 365 Under Threat From A New Phishing Tool
A new Phishing-as-a-Service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022 and organisations using Microsoft 365 in the United States, Canada, the UK, Australia, and South Africa have been using it.
Manufacturing businesses, healthcare organisations, and tech companies in English-speaking countries are the most targeted by phishers leveraging Greatness.
In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023. They have detailed their findings on "Greatness," a one-stop-shop for all of a cyber criminal's phishing needs.
With Greatness, anyone with even rudimentary technical skills can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials, even in the face of Multi Factor Authentication (MFA), and much more. Based on this investigation, Greatness is solely targeting victims via Microsoft 365 phishing pages. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.
The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. "It's designed to be accessible," says Nick Biasini, Head of Outreach for Cisco Talos. "It democratises access to phishing campaigns."
The criminal group behind PaaS is offering its customers an attachment and link builder to create authentic-looking decoy and login pages.
To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page. That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.
At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.
It used to take time, effort, and coding to craft phishing attacks that were so convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address.
"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly." Because Greatness is so slick in presentation and effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp.
In attack simulation training using Microsoft 365 E5, or Microsoft Defender for Office 365 Plan 2, simulations are benign cyber attacks that you run in your organisation. These training simulations can test your IT security and can train your employees to increase their awareness and decrease their susceptibility to attacks.
Microsoft 365 Defender is a suite of defense tools used to detect, prevent, investigate and respond across various surface areas in your Microsoft 365 environment. This includes endpoints, identities, email, and applications. The Microsoft 365 cloud-based productivity platform is used by many organisations worldwide, making it a valuable target for cyber criminals who attempt to steal data or credentials for use in network breaches.
Cisco Talos: Microsoft: Dark Reading: Infosecurity Magazine: TitanHQ: Bleeping Computer:
Cloud Academy: HelpNetSecurity:
You Might Also Read:
Phishing Attacks Surge As Cyber Criminals Exploit New AI Tools:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible