Since mid-2022, it has been much easier for hackers to target corporate customers of the Microsoft 365 cloud service as a result of the rise of Greatness, a new Phishing-as-a-Service (PhaaS) platform. The software reduces the entrance barrier for phishing assaults by giving affiliates access to extremely realistic decoy and login pages. In addition to showing the victim's suitable corporate logo and background picture taken from the target organization's actual Microsoft 365 login page, Greatness contains capabilities that pre-fill the victim's email address. In the United States, the United Kingdom, Australia, South Africa, and Canada, campaigns have mostly targeted manufacturing, healthcare, and technological sectors.
Cybercriminals may now easily and cheaply evade two-factor authentication (2FA) security measures by using phishing kits like Greatness to collect victims' login information and time-based one-time passwords (TOTPs). This draws attention to the requirement for businesses to train staff members about the risks of phishing attempts and have strong security measures in place.
- Employee education: Businesses should regularly guide their staff on how to spot phishing emails and steer clear of clicking on links or downloading files from untrusted sources. Additionally, they want to train their staff members on the distinctive qualities of Tools like Greatness, such as the pre-populated email address and the company's name and backdrop image.
- Two-factor authentication (2FA): Even though Greatness has the ability to go beyond 2FA safeguards, it still offers an additional degree of security that can help lower the likelihood of successful assaults. Businesses should make sure that 2FA is activated for all user accounts and that staff members have received sufficient training on how to utilise it.
- Email filtering: Enterprises can use email filtering technology to detect emails that may be suspicious or include harmful links or attachments, block emails from known phishing sources, and identify emails that contain such links or attachments.
- Web filtering: Organisations can employ web filtering technologies to prevent access to websites that are known to be phishing scams, including those linked to the Greatness PhaaS platform.
- Anti-malware software: Businesses may use this to find and stop dangerous code that might be included in phishing emails or on phishing websites.
- Monitoring user behaviour: Organisations can keep an eye on user behaviour to spot suspicious login patterns or attempts for credential theft. It may be a sign that a user's credentials have been hacked if they attempt to access a resource they do not regularly access, log in from an odd location or device, or both.
- Email analytics: Businesses can examine email metadata to spot suspicious activity, such as a rise in the volume of emails coming from unknown senders or a rise in the proportion of emails with illicit hyperlinks or attachments.
- Website analytics: Businesses can examine website traffic to spot suspicious activities, such as a rise in visits to sites connected to the Greatness PhaaS platform or a rise in visits to pages that look like prominent online services login pages
- Planning for incident response: Firms should have an approach in place that defines what to do in the case of a phishing attack. Procedures for locating and Mitigating the attack, informing impacted users, and repairing damaged systems should all be part of the strategy.
- Threat intelligence: Businesses can use threat intelligence feeds to find malware that is linked to recognised phishing sites. Threat intelligence may also be used to spot patterns of behaviour that can point to a fresh or emerging risk, such an increase in activity linked to the Greatness PhaaS platform.
Indicators of Compromise (IOCs)
- URLs: The phishing assaults' URLs are likely to include certain strings or subdomains connected to the Greatness platform. The URLs could use platform-related subdomains or terms like "greatness," "PaaS," or "PhaaS," for instance.
- IP addresses: Attackers utilising the Greatness platform may host the decoy and login pages used in the attack using specified IP addresses. Businesses may keep an eye on their online traffic to spot any IP addresses linked to Greatness assaults.
- Malware: In order to steal login information or access target systems, greatness assaults may include malware, like as keyloggers or remote access trojans (RATs). Businesses may keep an eye out for malware linked to Greatness assaults on their systems.• Modifications to the Windows registry, such as the addition of new keys or deletion of old ones.
- Email addresses: Phishing emails sent to target users by attackers utilising the Greatness platform may contain particular email addresses. Businesses may keep an eye on their email traffic to spot any email addresses linked to Greatness assaults.
- File names and hashes: Greatness attacks may be connected with specific files that may be recognised, such as the decoy website itself or the attachment included in the phishing email.
The hacker news