This dangerous phishing attack is targeting Microsoft users everywhere, so be on your guard

Sead Fadilpašić
·2 min read
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

Threat actors are increasingly using Greatness, a phishing-as-a-service (PhaaS) provider, to target businesses across the world with authentic-looking landing pages that, in reality, just steal sensitive data.

According to a new report by Cisco Talos, the tool that was first set up in mid-2022 is seeing a significant uptick in users, as threat actors target Microsoft 365 accounts from companies in the United States, Canada, the U.K., Australia, and South Africa.

The attackers are going for firms in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services industries, looking to obtain sensitive data, or user credentials.

Simple setup

The worst part is that Greatness greatly simplifies the process of setting up a phishing campaign, significantly lowering the barrier for entry.

To attack a firm, the hackers need only do a few things: log into the service using their API key; provide a list of target email addresses; create the email’s content (and change any other default details, as they see fit).

After that, Greatness handles the gruntwork of mailing the victims. Those that fall for the trick and open the accompanying attachment, will receive an obfuscated JavaSCript code that connects with the service’s server and grabs the malicious landing page.

Read more

> These dangerous phishing attacks are more common than ever - here's what you need to know

> Thousands of Microsoft servers are at risk from some serious security bugs

> Here's our list of the best firewalls around

The page itself is partly automated - it will grab the target company’s log and background image from the employer’s authentic Microsoft 365 login page, and will pre-fill the correct email address, making it more believable to the target.

The landing page then acts as a middleman between the user and the actual Microsoft 365 login page, moving through the authentication flow and even requesting the MFA code, if multi-factor authentication is set up on the account. Once the user logs in, the attackers grab the session cookie via Telegram, circumventing MFA and getting access.

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," Cisco’s report states.

Via: BleepingComputer