Microsoft 365 Under Threat From A New Phishing Tool

A new Phishing-as-a-Service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022 and organisations using Microsoft 365 in the United States, Canada, the UK, Australia, and South Africa have been using it.

Manufacturing businesses, healthcare organisations, and tech companies in English-speaking countries are the most targeted by phishers leveraging Greatness.

In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023. They have detailed their findings on "Greatness," a one-stop-shop for all of a cyber criminal's phishing needs. 

With Greatness, anyone with even rudimentary technical skills can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials, even in the face of Multi Factor Authentication (MFA), and much more. Based on this investigation, Greatness is solely targeting victims via Microsoft 365 phishing pages. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. "It's designed to be accessible," says Nick Biasini, Head of Outreach for Cisco Talos. "It democratises access to phishing campaigns."

The criminal group behind PaaS  is offering its customers an attachment and link builder to create authentic-looking decoy and login pages.

To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page. That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.

At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.

It used to take time, effort, and coding to craft phishing attacks that were so convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address.

"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly." Because Greatness is so slick in presentation and effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp. 

In attack simulation training using Microsoft 365 E5, or Microsoft Defender for Office 365 Plan 2, simulations are benign cyber attacks that you run in your organisation. These training simulations can test your IT security and can train your employees to increase their awareness and decrease their susceptibility to attacks. 

Microsoft 365 Defender is a suite of defense tools used to detect, prevent, investigate and respond across various surface areas in your Microsoft 365 environment. This includes endpoints, identities, email, and applications. The Microsoft 365 cloud-based productivity platform is used by many organisations worldwide, making it a valuable target for cyber criminals who attempt to steal data or credentials for use in network breaches.

Cisco Talos:   Microsoft:     Dark Reading:    Infosecurity Magazine:    TitanHQ:    Bleeping Computer:   

Cloud Academy:      HelpNetSecurity

You Might Also Read: 

Phishing Attacks Surge As Cyber Criminals Exploit New AI Tools:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Can Automation Help Bridge The Cyber Skills Gap?
Cyber Security In An Ever-Growing Digital World  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DoSarrest Internet Security Ltd

DoSarrest Internet Security Ltd

DOSarrest is a fully managed security firm specializing in cloud based DDoS protection services to a worldwide client base.

KPN

KPN

KPN is a leading supplier of ICT services including Cyber Security, Identity & Privacy, Secure Communications and Business Continuity.

Digital Infrastructure Association (DINL)

Digital Infrastructure Association (DINL)

DINL is the leading representative for companies and organisations which are active within the Dutch digital infrastructure sector.

qSkills

qSkills

QSkills is an independent training provider specialized high-quality IT and IT management training courses including IT security.

Upstream Security

Upstream Security

Upstream Security is the first cloud-based cyber-security solution that protects the technologies and applications of connected and autonomous vehicles.

CopSonic

CopSonic

Copsonic provide a technology solution based on ultrasonic waves to send secure and encrypted data between two devices in order to achieve authentication.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

IFE Digital Systems

IFE Digital Systems

IFE Digital Systems conducts research, development and consultancy in risk, safety and security related to digital systems in critical infrastructure.

ADL Process

ADL Process

ADL Process offer secure data destruction, certified product destruction and responsible electronics recycling services to businesses and institutions.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Clone Systems

Clone Systems

Clone Systems is an award winning global cloud based managed security as a service provider.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

Mobb

Mobb

Mobb's AI-powered technology automates vulnerability remediations to significantly reduce security backlogs and free developers to focus on innovation.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.

NSW IT Support

NSW IT Support

NSW IT Support: Your exclusive hub for comprehensive Business IT services in Sydney. Our skilled team ensures seamless technology solutions nationwide, consistently delivering top-tier IT support.