Cybercriminals have been using an innovative phishing-as-a-service (PhaaS or PaaS) platform named Greatness to target business users of Microsoft's 365 cloud service since at least mid-2022. This platform has significantly simplified phishing attacks, making them more accessible to a wider range of attackers. Cisco Talos researcher Tiago Pereira reveals that Greatness primarily focuses on Microsoft 365 phishing pages and offers affiliates an attachment and link builder to create highly convincing decoy and login pages. These pages have features such as the victim's email address pre-filled, along with the appropriate company logo and background image extracted from the target organization's genuine Microsoft 365 login page. Notably, manufacturing, healthcare, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada have been the main targets of Greatness campaigns. There has been a surge in activity detected in December 2022 and March 2023.
The AiTM phishing kit also includes an administration panel, empowering affiliates to configure the Telegram bot, keep track of stolen information, and even create booby-trapped attachments or links. Each affiliate must possess a valid API key to load the phishing page, which also acts as a protective measure against unwanted IP addresses and facilitates covert communication with the actual Microsoft 365 login page by masquerading as the victim. Working together, the phishing kit and the API execute a 'man-in-the-middle' attack, where information is extracted from the victim and immediately submitted to the legitimate login page in real-time. This enables the PaaS affiliate to steal usernames, passwords, and authenticated session cookies, particularly when the victim is using MFA.
These findings coincide with Microsoft's efforts to enhance 2FA protections and counter prompt bombing attacks. Starting from May 8, 2023, Microsoft has implemented number matching in Microsoft Authenticator push notifications.