A man armed with a shield fights against a thief.

Greatness Phishing-as-a-Service Targets Microsoft 365 Users 

Greatness, a relatively new phishing-as-a-service (PaaS) tool, is mainly targeted at manufacturing businesses, healthcare organisations, and tech companies. This tool has been specifically developed to target Microsoft 365 users. 

Since mid-2022, the service known as ‘Greatness’ has been exploited using different phishing attacks. The attacks mostly target organisations in the United States, with victims also in the United Kingdom, Australia, Canada, and South Africa.

Geographic Distribution of Targeted Organisations
Geographic Distribution of Targeted Organisations (Cisco Talos) 

Greatness is completely dedicated to using Microsoft 365 phishing sites to target victims. The service provides its members with a tool to create login and fake pages that seem genuine utilising attachments and links. 

Tiago Pereir, a researcher at Cisco Talos, claims: 

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA.

A Telegram bot immediately notifies the attacker after a successful attack. This immediate warning gives the attacker time to react before the authenticated session expires, or, in other words, before the cookies expire. 

Greatness Phishing to Target Microsoft 365 Users 

The scam starts when the victim gets a phishing email with an attached HTML file, which is often the start of the attack. The email requests that the victim access the HTML page and poses as a shared document. 

The web browser runs a short, hidden JavaScript script that creates a link to the attacker’s server when the victim clicks on the attached HTML file. The user sees the HTML code of the phishing website within the browser window thanks to this connection, which downloads it. The code adds a blurry picture of a turning wheel icon to mimic the loading of a document. 

Misleading Blurred Decoy Greatness Document
Blurred Decoy Document (Cisco Talos) 

The victim visits the Greatness phishing kit, which is hosted on a server under the attacker’s control, while they are being attacked. The victim then receives the phishing page from this kit. The kit then uses the PaaS API to transmit the credentials that were stolen. 

After obtaining the victim’s password, the PaaS programme logs into Microsoft 365 under their disguise. If MFA is used, the victim must authenticate using the same strategy as the genuine Microsoft 365 website. After authentication, the tool gets the authenticated session cookies and delivers them to the service provider via Telegram or the web panel. 

According to advisory

To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a ‘man-in-the-middle’ attack and stealing the victim’s authentication credentials or cookies.”

PaaS partners may configure their service API keys and Telegram bots using the phishing kit, and they can also keep track of the data obtained.

Unfortunately, the obtained credentials are frequently used to get into company networks, leading to more dangerous attacks like the spread of ransomware.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts