A new phishing-as-a-service (PhaaS or PaaS) platform called Greatness has been utilized by cybercriminals to target business users of Microsoft 365 cloud service since mid-2022.
This Phishing kit provides affiliates with a link and attachment builder to create convincing decoy and login pages that have features like pre-filled victim email addresses and company logos and background images extracted from the target organization’s real Microsoft 365 login page.
The campaigns have targeted manufacturing, healthcare, and technology entities located in the US, UK, Australia, South Africa, and Canada, with a surge in activity detected in December 2022 and March 2023. Phishing kits like Greatness provide a cost-effective and scalable one-stop solution for threat actors to design login pages associated with various online services and bypass two-factor authentication (2FA) protections.
The authentic-looking decoy pages work as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims. The attack chain begins with malicious emails containing an HTML attachment that executes obfuscated JavaScript code, redirecting the user to a landing page with their email address pre-filled and prompting them for their password and MFA code.
The entered credentials and tokens are then forwarded to the affiliate’s Telegram channel to gain unauthorized access to the accounts in question. Greatness comes with an administration panel enabling the affiliate to configure the Telegram bot, keep track of stolen information, and build booby-trapped attachments or links.
Additionally, each affiliate must have a valid API key to load the phishing page, which also facilitates behind-the-scenes communication with the actual Microsoft 365 login page by posing as the victim, thus performing a “man-in-the-middle” attack.
These findings coincide with Microsoft’s enforcement of number matching in Microsoft Authenticator push notifications, which started on May 8, 2023, to improve 2FA protection and counter prompt bombing attacks.