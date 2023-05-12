



A previously unreported phishing-as-a-service (PaaS) tool allows even script-kids to build compelling and effective phishing attacks against businesses.

Cisco Talos researchers elaborated on their findings on “Greatness,” a one-stop shop for all your cybercriminals’ phishing needs. Greatness allows anyone with even the most rudimentary technical knowledge to create powerful Microsoft 365-based phishing lures, allowing a man-in-the-middle to steal your credentials, even in the face of things like multi-factor authentication (MFA). attack can be carried out.

The tool has been around since at least mid-2022 and has been used to attack companies, especially in sectors such as manufacturing, healthcare and technology. Half of the targets so far are concentrated in the United States, with further attacks occurring around Western Europe, Australia, Brazil, Canada and South Africa.

“It’s designed to be accessible,” says Nick Biasini, director of outreach for Cisco Talos. “This democratizes access to phishing campaigns.”

how greatness works

Victims receive Greatness in the form of an email with a link or an attachment that usually disguises itself as an HTML page. Clicking on the attachment opens a blurry image of the Microsoft document behind the loading wheel, giving the impression that the file is loading. But the document doesn’t load. Instead, the victim is redirected to her Microsoft 365 login page.

This might seem suspicious if it weren’t for the fact that the page was pre-populated with the victim’s email address and the victim’s company logo, giving the whole case an air of legitimacy.

At this point, man-in-the-middle planning begins. Victims send their passwords to 365 without knowing that they are helping their attackers log in. It doesn’t matter if the victim has implemented her MFA. 365 asks for the code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects authenticated session cookies and passes them to threat actors via Telegram or its admin panel.

It used to take time, effort, and coding to craft a phishing attack this convincing. With Greatness, you simply fill out a form with titles, captions, images from deceptive Excel spreadsheets, and more. According to Talos’ findings, enabling the “Autograb” feature automatically prefills the victim’s email address on the 365 login page.

“You basically pay a fee, you get access to the API, and that’s it,” Biasani says. “You have to understand some basics like what an API key is and how to apply it in the portal, but very user he is friendly.”

Why greatness works so well

Greatness is so sophisticated in its presentation that it can easily evade MFA, so simple awareness and cyber hygiene may not be enough to save a company from its dominance.

One simple change your organization can make is to adjust the cookie session timeout. “Setting the timeout value to something like two weeks for him is not very good in the threat landscape we are seeing today,” he explains Biasani. However, “The challenge is that there is also a user base. Forcing people to use MFA every five minutes doesn’t work very well either. So you kind of sit in the space in between. Security It’s a very difficult balance between decisions about usability and decisions about usability.”

If a simple fix doesn’t fix the problem, you need more security. “This is where things like anomaly detection and location-based logins start. We need to raise the level of detection,” he said.

Still, Biasani sees a silver lining. “For me, more than anything, this shows that MFA really works. [attackers] “We are actively trying to do something about it now. MFA is reaching a point where it can no longer be ignored,” he says.

