Anyone can become a phishing attack expert on underground forums for as little as US$ 50. For about a year, a new Phishing-as-a-Service (PaaS) offering has been used to target Microsoft 365 accounts in the manufacturing, healthcare, technology, and real estate sectors, according to cyber threat researchers. Named ‘Greatness,’ the service has been used in several phishing campaigns since mid-2022, mainly targeting organizations in the US, with other victims in the UK, Australia, Canada, and South Africa. The service is not so “great” for the victims.[1]
By only delivering Microsoft 365 phishing pages, Greatness provides affiliates with capabilities such as IP filtering, multi-factor authentication (MFA) bypass, and integration with Telegram bots. PaaS criminals are provided with tools to create convincing login pages featuring the targeted organization’s logo and background image, which also have the victim’s email address pre-filled.
Participants are also provided with a phishing kit with an API key, which allows them to access more advanced features and act as a proxy to Microsoft’s authentication system, stealing the victim’s credentials via a Man-in-the-Middle attack. As part of a typical attack, the victim receives a malicious email containing an HTML attachment claiming to be a shared document.
When the attachment is opened, JavaScript code is executed to direct the browser to the attacker’s server and retrieve the phishing page containing a blurred image pretending to load the document. The victim is then redirected to the legitimate-looking Microsoft 365 login page, where they are prompted to enter their credentials. In the background, the cybercrime service attempts to log in to the victim’s account using the provided credentials. The phishing page also asks for an MFA method if one is used.
The service uses the victim’s login information to complete the authentication process and collect the session cookies sent to the PaaS team member via their Telegram channel.
During the attack, the victim connects to the Greatness phishing kit, which is deployed on the attacker-controlled server and delivers the phishing page. The kit communicates with the PaaS API to forward the harvested credentials. Through the phishing kit, the PaaS affiliates can configure service API keys and Telegram bots and track the stolen information.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/new-greatness-phishing-as-a-service-targets-microsoft-365-accounts/
Comments