New Phishing-As-A-Service Kit with Ability to Bypass MFA Targets Microsoft 365 Accounts



Phishing Kit Targets M365 AccountsA phishing-as-a-service platform called “Greatness” is facilitating phishing attacks against Microsoft 365 accounts, according to researchers at Sucuri.

“Greatness operates as a Phishing as a Service (PhaaS) platform, providing a number of features and components for bad actors to conduct their phishing attacks against Microsoft 365 accounts,” the researchers write.

“URLScan results show thousands of affected pages related to this kit. Once bad actors acquire a license and make the payment, they are provided with the software used to launch these attacks. The software can be hosted anywhere but we have seen a number of infections on compromised websites, hidden deep within the website structure.”

The platform gives attackers an easy-to-use interface to craft convincing phishing emails.

“The ‘Office Page’ functions as a campaign builder, enabling phishers to craft detailed phishing campaigns, create convincing emails equipped with deceptive links, or create attachments embedded with malware,” the researchers write. “The platform facilitates easy creation of attack templates and offers customization for tailoring the phishing attack, such as modifying backgrounds to mimic various file types and an ‘autograb’ function, streamlining the phishing process by setting the target account in advance.”

Notably, the kit offers features that enable attackers to bypass multi-factor authentication.

“Greatness uses a sophisticated authentication procedure,” Sucuri says. “After a victim enters their password, the tool verifies if multi-factor authentication (MFA) is enabled. If MFA is active, the tool prompts victims for additional information. Utilizing Microsoft’s API, the tool can then procure a valid session cookie.”

The researchers conclude that phishing kits like Greatness lower the bar for unskilled criminals to craft convincing social engineering attacks.

“With this toolkit, even novices with little technical knowledge can launch damaging phishing attacks,” the researchers write. “This accessibility amplifies the potential for harm, as it lowers the threshold for individuals to participate in and profit from cybercrime.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Sucuri has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews