A new phishing-as-a-service (PaaS) platform, titled ‘Greatness’, allows cybercriminals to target business users of Microsoft’s 365 cloud services. The service kit has been available since at least the middle of 2022 and has allowed attackers an easy way to perform phishing attacks.

“Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages,” according to Cisco Talos researcher Tiago Pereira. “It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo background image, extracted from the target organization’s real Microsoft 365 login page.”

Campaigns that utilize Greatness mainly have targeted manufacturing, health care and technology sectors located in the U.S., Australia, South Africa and Canada. The regularity of the activities spiked in December 2022 and March 2023.

Greatness and other PaaS kits are a way for cybercriminals and inexperienced actors alike to carry out phishing attacks in a cost-effective and scalable way. Greatness makes it possible for hackers to create believable login pages that trick users into giving up their personal information.

Using Greatness, attacks begin with malicious emails that contain an HTML attachment. When a user clicks on the attachment, they are redirected to a landing page that shows the targets email address already populated into a login form that then prompts them for their password and authentication code. The information gathered from the form is then forwarded to a Telegram channel where bad actors have access to the stolen information.

Additionally, each bad actor who uses Greatness is expected to have a valid API key in order to load the page. The API key prevents unwanted IP addresses from viewing the page, and allows behind-the-scenes communication with the actual Microsoft 365 login page by posing as the victim.

“Working together, the phishing kit and the API platform a ‘man-in-the-middle’ attack, requesting information from the victim that the API will then submit to the legitimate login page in real time,” Pereira said. He continued, “this allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA.”

Story via The Hacker News