Microsoft 365 Under Threat From A New Phishing Tool

A new Phishing-as-a-Service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022 and organisations using Microsoft 365 in the United States, Canada, the UK, Australia, and South Africa have been using it.

Manufacturing businesses, healthcare organisations, and tech companies in English-speaking countries are the most targeted by phishers leveraging Greatness.

In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023. They have detailed their findings on "Greatness," a one-stop-shop for all of a cyber criminal's phishing needs. 

With Greatness, anyone with even rudimentary technical skills can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials, even in the face of Multi Factor Authentication (MFA), and much more. Based on this investigation, Greatness is solely targeting victims via Microsoft 365 phishing pages. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. "It's designed to be accessible," says Nick Biasini, Head of Outreach for Cisco Talos. "It democratises access to phishing campaigns."

The criminal group behind PaaS  is offering its customers an attachment and link builder to create authentic-looking decoy and login pages.

To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page. That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.

At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.

It used to take time, effort, and coding to craft phishing attacks that were so convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address.

"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly." Because Greatness is so slick in presentation and effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp. 

In attack simulation training using Microsoft 365 E5, or Microsoft Defender for Office 365 Plan 2, simulations are benign cyber attacks that you run in your organisation. These training simulations can test your IT security and can train your employees to increase their awareness and decrease their susceptibility to attacks. 

Microsoft 365 Defender is a suite of defense tools used to detect, prevent, investigate and respond across various surface areas in your Microsoft 365 environment. This includes endpoints, identities, email, and applications. The Microsoft 365 cloud-based productivity platform is used by many organisations worldwide, making it a valuable target for cyber criminals who attempt to steal data or credentials for use in network breaches.

Cisco Talos:   Microsoft:     Dark Reading:    Infosecurity Magazine:    TitanHQ:    Bleeping Computer:   

Cloud Academy:      HelpNetSecurity

You Might Also Read: 

Phishing Attacks Surge As Cyber Criminals Exploit New AI Tools:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Can Automation Help Bridge The Cyber Skills Gap?
Cyber Security In An Ever-Growing Digital World  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

National Cyber Security Centre (NCSC) - Norway

National Cyber Security Centre (NCSC) - Norway

NCSC is part of the Norwegian Security Authority, and is Norway's national cyber security hub and the national CERT.

Applause

Applause

Applause provides real-world software testing for functionality, usability, accessibility, load, localization and security.

Egerie

Egerie

EGERIE's RiskManager solution provides a Global, Centralized, and Updated view of risk maps and security measures for your company.

CyberInt

CyberInt

CyberInt’s Managed Detection and Response services span globally and include some of the top finance, retail and telecommunication organizations.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Telesoft Technologies

Telesoft Technologies

Telesoft Technologies is a global provider of cyber security, telecom and government infrastructure products and services.

Repulsa

Repulsa

Repulsa provides state-of-the-art, patented, fast filtering with over 700 million malicious IP addresses and over 30 million categorized site listings updated daily.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

BlueKrypt

BlueKrypt

BlueKrypt is a consulting firm for the security of IT systems and their management.

DataViper

DataViper

Data viper is a threat intelligence platform designed for organizations, investigators, and law enforcement.

SightGain

SightGain

SightGain is the only integrated risk management solution focused on cybersecurity readiness using real-world attack simulations in your live environment.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

EasyDMARC

EasyDMARC

EasyDMARC deliver the most comprehensive product for anyone who strives to build the most secure possible defence system for their email ecosystem.

M.Tech

M.Tech

M.Tech is a leading cyber security and network performance solutions provider. We work with leading vendors to bring optimal solutions to the market through a channel of reseller partners.

Hexagon

Hexagon

Hexagon is a global leader in digital reality solutions. We are putting data to work to boost efficiency, productivity, quality and safety.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.