"Greatness" Phishing Tool Exploits Microsoft 365 Credentials

Written by

A new phishing-as-a-service (PaaS) tool called “Greatness” has been deployed as part of several phishing campaigns since at least mid-2022.

The findings come from security researchers at Cisco Talos, who described them in an advisory published on Wednesday.

“Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots,” wrote researcher Tiago Pereira.

Based on the company’s investigation, Greatness is solely targeting victims via Microsoft 365 phishing pages. The company offers its affiliates an attachment and link builder to create authentic-looking decoy and login pages.

Read more on similar attacks: Microsoft 365 Apps Continue to be the Most Exploited Cloud Services

“It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page,” Pereira explained.

“This makes Greatness particularly well-suited for phishing business users.”

After analyzing the domains targeted in various campaigns, Cisco Talos found that the victims were primarily companies located in the US, UK, Australia, South Africa and Canada. 

Manufacturing, health care and technology were the sectors most commonly targeted. However, Pereira clarified the distribution of victims varied slightly between campaigns in terms of country and sector.

“To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features,” reads the advisory.

“The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a ‘man-in-the-middle’ attack and stealing the victim’s authentication credentials or cookies.”

The Indicators of Compromise (IOC) for the research conducted by Cisco Talos are available on their GitHub repository.

The findings come a couple of months after Kaspersky security researchers uncovered a new form of phishing attack that utilized legitimate servers from Microsoft’s collaboration platform, SharePoint.

What’s hot on Infosecurity Magazine?