‘Greatness’ not to be great: A phishing campaign focusing on Microsoft 365

A Phishing-as-a-Service (PhaaS or PaaS) platform called Greatness has been exploited by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively reducing the difficulty of carrying out phishing attacks.

This week's episode of Talos Takes is out NOW on our site and in your feeds. We're covering the new #Greatness phishing-as-a-service tool to find out what really makes it so "great" https://t.co/OMxFL1Ejog pic.twitter.com/RSVu6TIlxV

— Cisco Talos Intelligence Group (@TalosSecurity) May 12, 2023

According to Tiago Pereira, a researcher at Cisco Talos, “Greatness currently focuses solely on Microsoft 365 phishing pages and offers its affiliates an attachment and link generator that produces compelling fake login pages and decoy websites.”

The platform includes various functionalities, such as automatically populating the victim’s email address and displaying the appropriate company logo and background image extracted from the targeted organization’s authentic Microsoft 365 login page.

The campaigns involving Greatness have primarily targeted manufacturing, healthcare, and technology companies in the United States, the United Kingdom, Australia, South Africa, and Canada. There was a noticeable increase in activity in December 2022 and March 2023.

Strategic operation

• The attack commences when the target receives a malicious email, typically containing an HTML file as an attachment. The email deceives the victim into opening the HTML page by posing as a shared document.

Source: CyberArk

• The web browser executes a brief section of obfuscated JavaScript code upon opening the attached HTML file. This code establishes a connection to the attacker’s server to retrieve the HTML code of the phishing page, which is then displayed to the user in the same browser window. The code includes a blurred image that simulates a loading process with a spinning wheel, creating the illusion of document retrieval.

• Subsequently, the victim is redirected to a Microsoft 365 login page. This page is usually pre-filled with the victim’s email address and customized with their company’s specific background and logo. In the provided example, for privacy protection, genuine victim data, background images, and company logos were replaced with fictional Talos data to demonstrate the appearance.

Source: Phishing kit administrative panel (Talos Intelligence)

• When the victim enters and submits their password, the PaaS platform establishes a connection with Microsoft 365 and assumes the victim’s identity to initiate the login attempt. Suppose Multi-Factor Authentication (MFA) is enabled. In that case, the service prompts the victim to authenticate using the MFA method requested by the authentic Microsoft 365 page, such as an SMS code, voice call code, or push notification.

• After receiving the MFA verification, the service continues to impersonate the victim covertly and completes the login process to obtain the authenticated session cookies. These cookies are then transmitted to the service affiliate via their Telegram channel or the web panel.

Source: Communication between attackers (CyberArk)

What’s your next step?

In phishing schemes, you often have to input sensitive information, such as credit card numbers, social security numbers, phone numbers, email addresses, and identification details. Companies or services will only request sensitive information that needs to be updated. Therefore, if uncertain, users should verify with the company directly to avoid potential problems.

Source: CyberArk showing the use of your sensitive information

• Many attackers who create phishing packages may not be familiar with the language used by their target victims. They often rely on translation platforms like Google Translate, which may not provide accurate translations. Attention to unusual text information, odd phrasing, spelling, and grammar errors is crucial.

• Attackers frequently employ email addresses and names that resemble those of well-known services to send phishing links. They use this technique to deceive victims into believing the message is legitimate. It is essential to carefully examine the email address or phone number from which the message originates to determine its authenticity. Most organizations utilize consistent email addresses or numbers to communicate with their clients.

Source: Frontiers

Next step

Microsoft has launched a number code authentication method to fortify its system with efficient security. Combating these attacks with research has become essential as the attackers are developing advanced tactics.