'Greatness': The Phishing-as-a-Service Targeting Microsoft 365 Users
Introduction
In the realm of cybercrime, new threats are constantly emerging, and the latest to gain attention is a phishing-as-a-service named “Greatness.” This sophisticated tool provides affiliates with a comprehensive attachment and link builder designed to deceive unsuspecting Microsoft 365 users, particularly those in business settings. In this blog post, we will delve into the workings of “Greatness” and its impact on targeted industries, while emphasizing the significance of staying vigilant to protect against such threats.
Phishing Campaigns and Targeted Sectors:
Researchers from Cisco Talos recently published a blog post on May 10, highlighting the proliferation of phishing campaigns exploiting this service since mid-2022, with notable spikes in activity during December and March. The primary targets of these campaigns have been manufacturing, healthcare, and technology companies based in the U.S., UK, South Africa, and Canada. Remarkably, over 50% of all targets were located in the U.S. alone.
Understanding the Attack Mechanism:
Tiago Pereira, a researcher at Cisco Talos, shed light on the operational aspects of this phishing-as-a-service. Affiliates gain access to a phishing kit, an API key, and either a Telegram bot or an email address. The phishing kit serves as the admin panel, enabling even inexperienced threat actors to utilize the service’s advanced features. Through a “man-in-the-middle” attack, the phishing kit and API function as a proxy to the Microsoft 365 authentication system, facilitating the theft of victims’ authentication credentials or cookies.
Execution of the Phishing Attack:
The attack commences when victims receive a malicious email, typically with an HTML file attachment. Opening the attachment triggers an obfuscated JavaScript code within the web browser, presenting a spinning wheel animation that mimics document loading. Subsequently, victims are redirected to a convincingly designed Microsoft 365 login page. This counterfeit page often pre-fills the victim’s email address and incorporates their company’s custom background and logo. Upon entering their password, the phishing service interacts with Microsoft 365, impersonating the victim’s login attempt. In some instances, the phishing-as-a-service may even prompt victims to authenticate a multi-factor authentication request through legitimate Microsoft 365 channels, such as an SMS code or push notification.
Data Exfiltration and Reporting:
The phishing kit securely stores the obtained credentials, allowing affiliates to access them via an administrative panel. Optionally, the credentials can also be sent to the affiliate’s designated Telegram channel. By orchestrating a seamless “man-in-the-middle” attack, the phishing kit and API work collaboratively to gather victim information and immediately transmit it to the genuine login page in real-time. Additionally, the attacker is promptly alerted by the Telegram bot once the victim’s authenticated session cookies have been acquired, as authentication sessions typically expire after a certain period.
Conclusion:
The emergence of the “Greatness” phishing-as-a-service underscores the evolving landscape of cyber threats. As attackers continue to refine their techniques, it is imperative for individuals and organizations to prioritize cybersecurity measures. By remaining vigilant, employing multi-layered security solutions, and educating users about the dangers of phishing, we can defend against these evolving threats.