A new Phishing as a Service (PhaaS or PaaS) platform named Great has been exploited by cybercriminals to target business users of Microsoft 365 cloud services since at least mid-2022, effectively lowering the entry barrier for phishing attacks.
“Greatness is currently focused solely on Microsoft 365 phishing pages, providing affiliates with attachments and link builders to create compelling decoy and login pages,” said Cisco Talos researcher Tiago Pereira. I am.”
“This includes features such as pre-filling the victim’s email address and displaying the appropriate company logo and background image extracted from the targeted organization’s actual Microsoft 365 login page. ”
Campaigns involving Greatness involve manufacturing, healthcare, and technology entities primarily located in the US, UK, Australia, South Africa, and Canada, with spikes in activity detected in December 2022 and March 2023 it was done.
Phishing kits like Greatness provide attackers and newcomers alike with a cost-effective and scalable one-stop-shop to design compelling login pages associated with various online services, Allows you to bypass two-factor authentication (2FA) protection.
Specifically, the legitimate-looking decoy page acts as a reverse proxy that collects victim-entered credentials and time-based one-time passwords (TOTPs).
The attack chain begins with a malicious email containing an HTML attachment. This email, upon opening, runs obfuscated JavaScript code and redirects the user to a landing page pre-filled with the recipient’s email address, prompting for a password and her MFA code.
The entered credentials and tokens are then forwarded to the affiliate’s Telegram channel to gain unauthorized access to the account in question.
AiTM Phishing Kit also comes with an admin panel that allows affiliates to set up Telegram bots, track stolen information, and build boobytrapped attachments and links.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
Additionally, each affiliate is expected to have a valid API key to be able to load the phishing page. API keys also prevent unwanted IP addresses from viewing phishing pages and facilitate behind-the-scenes communication with real Microsoft 365 login pages while impersonating victims.
“Phishing kits and APIs work together to carry out a ‘man-in-the-middle’ attack, request information from the victim, and the API sends that information to the legitimate login page in real time,” Pereira said.
“This allows PaaS affiliates to steal usernames and passwords along with authenticated session cookies if the victim is using MFA.”
The findings come after Microsoft began enforcing number verification in Microsoft Authenticator push notifications after May 8, 2023, to improve 2FA protection and avoid immediate bombing attacks. rice field.
