A new Phishing as a Service (PhaaS or PaaS) platform named Great has been exploited by cybercriminals to target business users of Microsoft 365 cloud services since at least mid-2022, effectively lowering the entry barrier for phishing attacks.
โGreatness is currently focused solely on Microsoft 365 phishing pages and provides affiliates with an attachment and link builder that creates compelling decoy and login pages,โ said a Cisco Talos researcher. says Tiago Pereira of Said.
“This includes features such as pre-filling the victim’s email address and displaying the appropriate company logo and background image extracted from the targeted organization’s actual Microsoft 365 login page. โ
Campaigns involving Greatness involve manufacturing, healthcare, and technology entities primarily located in the US, UK, Australia, South Africa, and Canada, with spikes in activity detected in December 2022 and March 2023 it was done.
Phishing kits like Greatness provide attackers and newcomers alike with a cost-effective and scalable one-stop-shop to design compelling login pages associated with various online services, Allows you to bypass two-factor authentication (2FA) protection.
Specifically, the decoy page that appears to be real is reverse proxy Collects victim-entered credentials and time-based one-time passwords (TOTPs).
The attack chain begins with a malicious email containing an HTML attachment. This email, upon opening, runs obfuscated JavaScript code and redirects the user to a landing page pre-filled with the recipient’s email address, prompting for a password and her MFA code.
The entered credentials and tokens are then forwarded to the affiliate’s Telegram channel to gain unauthorized access to the account in question.
AiTM Phishing Kit also comes with an admin panel that allows affiliates to set up Telegram bots, track stolen information, and build boobytrapped attachments and links.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Additionally, each affiliate must have a valid API key to be able to load the phishing page. API keys also prevent unwanted IP addresses from viewing phishing pages and facilitate behind-the-scenes communication with real Microsoft 365 login pages while impersonating victims.
“Phishing kits and APIs work together to carry out a ‘man-in-the-middle’ attack, request information from the victim, and the API sends that information to the legitimate login page in real time,” Pereira said.
โThis allows PaaS affiliates to steal usernames and passwords in addition to authenticated session cookies if the victim is using MFA.โ
This survey was published by Microsoft Began After May 8, 2023, enforce number verification with Microsoft Authenticator push notifications, boost 2FA protection, and avoid instant bombardment attacks.