A new phishing-as-a-service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022.
The findings, by security researchers at Cisco Talos, are described in an advisory published Wednesday.
“Greatness incorporates features found in some of the leading PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering, and integration with Telegram bots,” writes researcher Tiago Pereira. I’m here.
According to the company’s research, Greatness only targets victims via Microsoft 365 phishing pages. The company provides its affiliates with attachments and a link builder to create authentic-looking decoy and login pages.
For more information on similar attacks, see Microsoft 365 Apps remains the most exploited cloud service.
“This includes features such as pre-populating the victim’s email address and displaying the appropriate company logo and background image extracted from the targeted organization’s actual Microsoft 365 login page.” explained Pereira.
“This makes Greatness particularly suitable for phishing business users.”
Cisco Talos analyzed the domains targeted by various campaigns and found that the victims were primarily companies based in the United States, United Kingdom, Australia, South Africa, and Canada.
Manufacturing, healthcare and technology were the most frequently targeted. However, Pereira revealed that the distribution of victims varies slightly from campaign to campaign in terms of countries and sectors.
“To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even less skilled attackers to easily take advantage of the service’s more advanced features. ’” the recommendation reads.
“Phishing kits and APIs act as proxies for the Microsoft 365 authentication system, performing ‘man-in-the-middle’ attacks to steal victims’ credentials and cookies.”
Indications of Compromise (IOCs) for investigations conducted by Cisco Talos are available on the Cisco Talos GitHub repository.
The discovery comes months after Kaspersky security researchers uncovered a new form of phishing attack leveraging legitimate servers for SharePoint, Microsoft’s collaboration platform.
