This dangerous phishing attack is targeting Microsoft users everywhere, so be on your guard

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Threat actors are increasingly using Greatness, a phishing-as-a-service (PhaaS) provider, to target businesses across the world with authentic-looking landing pages that, in reality, just steal sensitive data. 

According to a new report by Cisco Talos, the tool that was first set up in mid-2022 is seeing a significant uptick in users, as threat actors target Microsoft 365 accounts from companies in the United States, Canada, the U.K., Australia, and South Africa.

The attackers are going for firms in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services industries, looking to obtain sensitive data, or user credentials. 


Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

Simple setup

The worst part is that Greatness greatly simplifies the process of setting up a phishing campaign, significantly lowering the barrier for entry. 

To attack a firm, the hackers need only do a few things: log into the service using their API key; provide a list of target email addresses; create the email’s content (and change any other default details, as they see fit).

After that, Greatness handles the gruntwork of mailing the victims. Those that fall for the trick and open the accompanying attachment, will receive an obfuscated JavaSCript code that connects with the service’s server and grabs the malicious landing page.

The page itself is partly automated - it will grab the target company’s log and background image from the employer’s authentic Microsoft 365 login page, and will pre-fill the correct email address, making it more believable to the target. 

The landing page then acts as a middleman between the user and the actual Microsoft 365 login page, moving through the authentication flow and even requesting the MFA code, if multi-factor authentication is set up on the account. Once the user logs in, the attackers grab the session cookie via Telegram, circumventing MFA and getting access.

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," Cisco’s report states.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.