Microsoft 365 Under Threat From A New Phishing Tool

A new Phishing-as-a-Service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022 and organisations using Microsoft 365 in the United States, Canada, the UK, Australia, and South Africa have been using it.

Manufacturing businesses, healthcare organisations, and tech companies in English-speaking countries are the most targeted by phishers leveraging Greatness.

In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023. They have detailed their findings on "Greatness," a one-stop-shop for all of a cyber criminal's phishing needs. 

With Greatness, anyone with even rudimentary technical skills can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials, even in the face of Multi Factor Authentication (MFA), and much more. Based on this investigation, Greatness is solely targeting victims via Microsoft 365 phishing pages. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. "It's designed to be accessible," says Nick Biasini, Head of Outreach for Cisco Talos. "It democratises access to phishing campaigns."

The criminal group behind PaaS  is offering its customers an attachment and link builder to create authentic-looking decoy and login pages.

To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page. That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.

At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.

It used to take time, effort, and coding to craft phishing attacks that were so convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address.

"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly." Because Greatness is so slick in presentation and effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp. 

In attack simulation training using Microsoft 365 E5, or Microsoft Defender for Office 365 Plan 2, simulations are benign cyber attacks that you run in your organisation. These training simulations can test your IT security and can train your employees to increase their awareness and decrease their susceptibility to attacks. 

Microsoft 365 Defender is a suite of defense tools used to detect, prevent, investigate and respond across various surface areas in your Microsoft 365 environment. This includes endpoints, identities, email, and applications. The Microsoft 365 cloud-based productivity platform is used by many organisations worldwide, making it a valuable target for cyber criminals who attempt to steal data or credentials for use in network breaches.

Cisco Talos:   Microsoft:     Dark Reading:    Infosecurity Magazine:    TitanHQ:    Bleeping Computer:   

Cloud Academy:      HelpNetSecurity

You Might Also Read: 

Phishing Attacks Surge As Cyber Criminals Exploit New AI Tools:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Can Automation Help Bridge The Cyber Skills Gap?
Cyber Security In An Ever-Growing Digital World  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Be Cyber Aware At Sea

Be Cyber Aware At Sea

Be Cyber Aware At Sea is a global maritime and offshore industry initiative to raise awareness and educate crew members and the offshore workforce.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Leadcomm

Leadcomm

Leadcomm is a Brazilian company focused on the distribution and integration of IT systems and security solutions for large companies.

Charterhouse Müller UK

Charterhouse Müller UK

Charterhouse Müller UK are a leading service provider for end of life IT services including data erasure and secure IT asset disposal.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Cyturus Technologies

Cyturus Technologies

Cyturus Technologies delivers cybersecurity business risk quantification services using our proprietary Adaptive Risk Model (ARM).

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

Anterix

Anterix

Anterix is focused on empowering the modernization of critical infrastructure and enterprise businesses by enabling private broadband connectivity.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

Apex Systems

Apex Systems

Apex Systems is a world-class technology services business that incorporates industry insights and experience to deliver solutions that fulfill our clients’ digital visions.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

MyKRIS Asia

MyKRIS Asia

MyKRIS specialise in providing and managing Internet network services and cyber security services to enterprises.

Kontra

Kontra

Kontra application security training is an interactive and intuitive learning experience that engages developers.

Apexanalytix

Apexanalytix

Apexanalytix is a leading provider of supplier onboarding, risk management and recovery solutions.

Amiosec

Amiosec

Amiosec is a British cyber innovation business specialising in delivering simple-to-use solutions to the complex problems of the modern world.