A Phishing-as-a-Service (PhaaS) platform called “Greatness” has seen a spike in activity as it targets organizations using Microsoft 365 in the United States, Canada, the United Kingdom, Australia and South Africa.
In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023.
The attackers are going for firms in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services industries, looking to obtain sensitive data, or user credentials.
New PhaaS Greatness
To attack a firm, the hackers need only do a few things: log into the service using their API key; provide a list of target email addresses; create the email’s content (and change any other default details, as they see fit).
The page itself is partly automated – it will grab the target company’s log and background image from the employer’s authentic Microsoft 365 login page, and will pre-fill the correct email address, making it more believable to the target.
The landing page then acts as a middleman between the user and the actual Microsoft 365 login page, moving through the authentication flow and even requesting the MFA code, if multi-factor authentication is set up on the account. Once the user logs in, the attackers grab the session cookie via Telegram, circumventing MFA and getting access.
In many cases, stolen credentials are also used to breach corporate networks, leading to even more dangerous attacks such as ransomware deployment.
Source of information: bleepingcomputer.com