Not Destined for Greatness: Cisco's Coverage of New Phishing Dangers

By Alex Passett, Editor  |  May 16, 2023

If you’ve been engrossed in tech’s goings-on long enough (or you or your organization’s teams use products like the SecureX platform, Umbrella, Nexus Dashboard Insights or others), chances are you’re aware of industry-spearheading technologies company, Cisco. With solutions for networking, security, digital collaboration, cloud management and more, Cisco (News - Alert) helps securely connect global industries and communities.

Unfortunately, for every bright spot (i.e. the Ciscos of the world), there are much darker blotches staining the security of our data. Malicious threat actors utilize tools that are harmful to businesses; these jeopardize too much for too many in today’s expandingly connected digital landscapes. (Think of Newton’s Third Law here; for every action or force in nature, there is an equal or opposite reaction. Likewise, for every organization that looks to do good via enriching cybersecurity services, there are privacy-invading entities with arsenals of their own.)

This sets the scene. Now, we can cover Cisco Talos Intelligence Group and a swathe of its latest findings, much of which have created grim concerns for Cisco and industries, in general.

As Cisco Talos Intelligence Group (or simply Talos) is unsurprisingly one of the largest commercial threat intelligence teams out there (comprised of Cisco’s top researchers, analysts and engineers that rapidly support Cisco customers with real-time, actionable intel), you can imagine how the Talos team has reacted to a new tool for “Phishing-as-a-Service” that has been named “Greatness.” (Which, if you ask me, is a wholly uncouth antiphrasis of general “greatness,” in this case.)

Already seen in the wild, “Greatness” is a previously underreported PhaaS that has now been reportedly used in several major phishing campaigns since at least halfway into 2022. Greatness incorporates advanced PhaaS features like multi-factor authentication (MFA (News - Alert)) bypass, IP filtering and integration with Telegram bots.

This is not good news.

For now, per Talos, “Greatness is focused on Microsoft (News - Alert) 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages.” But still, even that is too far for our cyber peace of mind, as Greatness can apparently feature victims’ email addresses pre-filled on a display page (with accurate company logos and background images, to boot), all of which are extracted from the target’s real Microsoft 365 login page. This makes Greatness regrettably well-suited for users engaging in more sophisticated phishing.

Again, not good news.

Greatness users’ activities are easy-access, as well (even for unskilled threat actors that can now avail themselves of said tool to easily take advantage of victims’ services). Per Talos, the phishing kit and API key that must be configured and deployed work as a proxy to Microsoft 365’s authentication system, providing a “man-in-the-middle attack” and stealing victims’ authentication credentials, cookies, etc.

At this time, the domains targeted in several ongoing (and past) campaigns revealed victims almost exclusively at companies in the U.S., the U.K., Canada, South Africa and Australia. The most commonly targeted sectors were manufacturing, healthcare and technologies. (The exact distribution of victims in countries and sectors varies slightly between campaigns.)

As detailed thoroughly by Talos, the summary of a Greatness attack flow is as follows:

  1. The attack begins when a victim receives a malicious email, which typically contains an HTML file as an attachment and (under the pretext of a shared document) leads the victim to open the HTML page.
  2. Once the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes connection to the attacker's server to obtain the phishing page HTML code and display it to the user in the same browser window. This code will contain a blurred image with a spinning wheel icon, pretending to load the document.
  3. This then redirects the victim to a Microsoft 365 login page, usually pre-filled with the victim’s email address and the custom background and logo used by their company (as this news covered earlier).
  4. Once the victim submits their password, the PhaaS will connect to Microsoft 365, impersonate the victim and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification).
  5. Finally, once the MFA is received, the victim will continue to be impersonated behind the scenes in order to complete the login process and collect data.

When you spell it out in five steps, it’s scary how simple this is for bad actors.

So, what can be done?

Talos suggests a number of Cisco-enabled solutions for detecting and blocking this Greatness threat. (Which, again, when you call it a “Greatness threat” it sounds quite oxymoronic; like the actors named this as such to insult the validity of in-place security measures and make it seem like their ill-intended tool is better. This is a shame.)

The solutions Talos suggests include Cisco Secure Endpoint and Cisco Secure Email, Cisco Umbrella, Cloudlock, and Malware Analytics. These, when grouped together, help prevent the execution of malware like Greatness, use web scanning to identify and prevent access to malicious websites, messages and binaries, and build protections into Cisco products, and more.

Of course, other fruitful cybersecurity solutions exist, too. These are simply a bevy from Cisco in order to combat dangers from the likes of Greatness so your data (and your organization’s data) all remain secure.

For additional information on Greatness’ victimology, Indicators of Compromise (IOCs) and more specific percentages of targeted organizations, the Cisco Talos Intelligence Group lays it all out here.

Edited by Greg Tavarez
Get stories like this delivered straight to your inbox. [Free eNews Subscription]