For roughly a year, a new phishing-as-a-service (PaaS) offering has been used to target Microsoft 365 accounts in the manufacturing, healthcare, technology, and real estate sectors, Cisco’s Talos security team warns.
Dubbed ‘Greatness’, the service has been used in several phishing campaigns since mid-2022, mainly targeting organizations in the US, with other victims in the UK, Australia, Canada, and South Africa.
Only delivering Microsoft 365 phishing pages, Greatness provides affiliates with capabilities such as IP filtering, multi-factor authentication (MFA) bypass, and integration with Telegram bots.
PaaS affiliates are provided with tools to create convincing login pages featuring the targeted organization’s logo and background image, and which also have the victim’s email address pre-filled.
Affiliates are also provided with a phishing kit with an API key, which allows them to access more advanced features and which act as a proxy to Microsoft’s authentication system, stealing the victim’s credentials via a man-in-the-middle attack.
As part of a typical attack, the victim receives a malicious email containing an HTML attachment claiming to be a shared document.
When the attachment is opened, JavaScript code is executed to direct the browser to the attacker’s server and retrieve the phishing page which also contains a blurred image pretending to load the document.
The victim is then redirected to the legitimate looking Microsoft 365 login page, where they are prompted to enter their credentials. In the background, the cybercrime service attempts to log in to the victim’s account using the provided credentials. The phishing page also asks for an MFA method if one is used.
The service uses the victim’s login information to complete the authentication process and collect the session cookies, which are sent to the PaaS affiliate via their Telegram channel.
During the attack, the victim connects to the Greatness phishing kit, which is deployed on the attacker-controlled server and which delivers the phishing page. The kit communicates with the PaaS API to forward the harvested credentials.
Through the phishing kit, the PaaS affiliates can configure service API keys and Telegram bots and track the stolen information.
Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
Related: CISA Urges Organizations to Implement Phishing-Resistant MFA
Related: US Government Contractors Targeted in Evolving Phishing Campaign
