Manufacturing, Healthcare, and Technology Sectors Hit by Greatness Phishing Campaigns

Cybercriminals are taking advantage of a newly emerged phishing-as-a-service platform called Greatness, which has been actively targeting business users of Microsoft 365 since mid-2022. The platform significantly lowers the barriers to entry for phishing attacks, allowing even inexperienced threat actors to create persuasive decoy and login pages. According to Tiago Pereira, a researcher at Cisco Talos, Greatness specializes in Microsoft 365 phishing pages. It equips its affiliates with an attachment and link builder that generates realistic lure pages with appropriate company logos and background images extracted from the genuine Microsoft 365 login page. Greatness campaigns have primarily focused on Manufacturing, Healthcare, and Technology sectors in the U.S., the U.K., Australia, South Africa, and Canada. Activity levels spiked in December 2022 and March 2023. Phishing kits like Greatness offer an affordable and scalable solution for threat actors, enabling them to create convincing login pages associated with various online services and bypass two-factor authentication (2FA) measures.

The fraudulent pages serve as reverse proxies, collecting login credentials and one-time passwords (OTPs) by unsuspecting victims. The attack typically begins with a malicious email containing an HTML attachment, once opened, it executes obfuscated JavaScript code, redirecting the user to a landing page where their email address is already pre-filled. The user is then prompted to enter their password and MFA code. The stolen credentials and tokens are subsequently forwarded to the affiliate's Telegram channel, providing unauthorized access to compromised accounts. The phishing kit, known as AiTM, includes an administration panel allowing affiliates to configure the Telegram bot, monitor stolen information, and create malicious attachments or links.

It is worth noting that Microsoft has recently implemented number matching in Microsoft Authenticator push notifications as of May 8, 2023. This enhancement aims to strengthen 2FA protections and defend against prompt bombing attacks. These developments highlight the ongoing battle between cybercriminals and security measures by technology providers like Microsoft. As attackers continually refine their techniques, it becomes crucial for organizations to stay vigilant and adopt robust Cyber Security practices.

To protect against phishing attacks like those facilitated by the Greatness platform, businesses should prioritize employee education and awareness. Training programs that focus on recognizing phishing emails, verifying the authenticity of login pages, and practicing safe browsing habits can significantly reduce the risk of falling victim to such schemes. Furthermore, staying informed about the latest Cyber Security trends and threats is crucial. Subscribing to reputable security news sources, attending industry conferences, and engaging with Cyber Security professionals can provide valuable insights into emerging risks and effective defense strategies.