Cybercriminals have introduced a formidable weapon into their arsenal with the emergence of a state-of-the-art Phishing-as-a-Service (PhaaS) platform known as Greatness. Since its inception in mid-2022, this malicious tool has wreaked havoc among Microsoft 365 users, drastically lowering the barriers to launching devastating phishing attacks.
The Threat of Greatness:
Research conducted by Cisco Talos has uncovered the alarming capabilities of Greatness. Affiliates of this platform gain access to an attachment and link builder that crafts remarkably authentic decoy and login pages. Leveraging the actual Microsoft 365 login page of targeted organizations, Greatness incorporates personalized elements such as pre-filled email addresses and company logos, making the deception virtually indistinguishable from the genuine login page.
Greatness has left its mark on multiple sectors, with manufacturing, healthcare, and technology entities in the United States, the United Kingdom, Australia, South Africa, and Canada falling victim to its campaigns. Disturbing spikes in activity were particularly observed in December 2022 and March 2023, indicating the platform's growing influence.
The Danger of Greatness:
The true danger lies in the fact that tools like Greatness empower threat actors, regardless of their level of expertise, to execute cost-effective and scalable attacks. By creating highly convincing login pages for various online services, this phishing kit effectively bypasses two-factor authentication (2FA), leaving victims vulnerable to exploitation.
The Intricate Attack Chain:
The Role of API Keys:
To access the phishing pages, each affiliate must possess a valid API key. This not only enhances the kit's security by restricting unauthorized IP addresses but also facilitates seamless communication with the legitimate Microsoft 365 login page. By impersonating the victim, the phishing kit and API work in tandem, executing a sophisticated "man-in-the-middle" attack that retrieves valuable information in real-time. Usernames, passwords, and even authenticated session cookies are harvested, particularly if the victim uses MFA.
Microsoft has taken steps to address these evolving threats by implementing stricter measures. Since May 8, 2023, Microsoft Authenticator push notifications now require number matching, strengthening 2FA protections and countering prompt bombing attacks.
In the face of relentless cybercriminal innovation, it is crucial for individuals and organizations to remain vigilant, adopt robust security measures, and stay informed about the latest developments in cybersecurity. Armoryze offers cutting-edge security solutions to safeguard your digital assets from relentless cyber threats. Don't leave your security to chance. Empower your defences with our comprehensive solutions and gain peace of mind in an increasingly hostile digital landscape. Schedule a complimentary call with our experts today and take the first step towards a secure future in the digital realm.