Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This dangerous phishing attack is targeting Microsoft users everywhere, so be on your guard

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

Threat actors are increasingly using Greatness, a phishing-as-a-service (PhaaS) provider, to target businesses across the world with authentic-looking landing pages that, in reality, just steal sensitive data. 

According to a new report by Cisco Talos, the tool that was first set up in mid-2022 is seeing a significant uptick in users, as threat actors target Microsoft 365 accounts from companies in the United States, Canada, the U.K., Australia, and South Africa.

The attackers are going for firms in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services industries, looking to obtain sensitive data, or user credentials. 

Simple setup

The worst part is that Greatness greatly simplifies the process of setting up a phishing campaign, significantly lowering the barrier for entry. 

To attack a firm, the hackers need only do a few things: log into the service using their API key; provide a list of target email addresses; create the email’s content (and change any other default details, as they see fit).

After that, Greatness handles the gruntwork of mailing the victims. Those that fall for the trick and open the accompanying attachment, will receive an obfuscated JavaSCript code that connects with the service’s server and grabs the malicious landing page.

The page itself is partly automated - it will grab the target company’s log and background image from the employer’s authentic Microsoft 365 login page, and will pre-fill the correct email address, making it more believable to the target. 

The landing page then acts as a middleman between the user and the actual Microsoft 365 login page, moving through the authentication flow and even requesting the MFA code, if multi-factor authentication is set up on the account. Once the user logs in, the attackers grab the session cookie via Telegram, circumventing MFA and getting access.

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," Cisco’s report states.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.