This dangerous phishing attack is targeting Microsoft users everywhere, so be on your guard

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

(Image credit: weerapatkiatdumrong / Getty Images)

Threat actors are increasingly using Greatness, a phishing-as-a-service (PhaaS) provider, to target businesses across the world with authentic-looking landing pages that, in reality, just steal sensitive data.

According to a new report by Cisco Talos, the tool that was first set up in mid-2022 is seeing a significant uptick in users, as threat actors target Microsoft 365 accounts from companies in the United States, Canada, the U.K., Australia, and South Africa.

The attackers are going for firms in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services industries, looking to obtain sensitive data, or user credentials.

Simple setup

The worst part is that Greatness greatly simplifies the process of setting up a phishing campaign, significantly lowering the barrier for entry.

To attack a firm, the hackers need only do a few things: log into the service using their API key; provide a list of target email addresses; create the email’s content (and change any other default details, as they see fit).

After that, Greatness handles the gruntwork of mailing the victims. Those that fall for the trick and open the accompanying attachment, will receive an obfuscated JavaSCript code that connects with the service’s server and grabs the malicious landing page.

> These dangerous phishing attacks are more common than ever - here's what you need to know

> Thousands of Microsoft servers are at risk from some serious security bugs

> Here's our list of the best firewalls around

The page itself is partly automated - it will grab the target company’s log and background image from the employer’s authentic Microsoft 365 login page, and will pre-fill the correct email address, making it more believable to the target.

The landing page then acts as a middleman between the user and the actual Microsoft 365 login page, moving through the authentication flow and even requesting the MFA code, if multi-factor authentication is set up on the account. Once the user logs in, the attackers grab the session cookie via Telegram, circumventing MFA and getting access.

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," Cisco’s report states.

Check out the best malware removal tools right now

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.