The ‘Greatness’ Phishing-as-a-Service (PhaaS) platform has experienced a surge in activity, specifically targeting organizations that use Microsoft 365 in countries like the United States, Canada, the U.K., Australia, and South Africa.
Given the widespread adoption of Microsoft 365 among various industries, cybercriminals are increasingly attempting to exploit this cloud-based productivity platform to steal data and credentials for potential network breaches.
A recent report by Cisco Talos highlights the emergence of the Greatness phishing platform in mid-2022, with notable spikes in activity observed in December 2022 and March 2023.
Most of the victims targeted by Greatness are located in the United States, spanning sectors such as manufacturing, healthcare, technology, education, real estate, construction, finance, and business services. The Phishing-as-a-Service platform offers comprehensive tools and functionalities required for conducting successful phishing campaigns.
Attackers leverage the Greatness admin panel, using their API key to access the service and supply a list of target email addresses. The platform then provisions the necessary infrastructure, including hosting servers for phishing pages and generating HTML attachments.
The victims receive phishing emails containing HTML attachments, which, when opened, execute an obfuscated JavaScript code that connects with the Greatness server to fetch the phishing page. To increase the illusion of legitimacy, the service injects the target’s company logo and background image from their actual Microsoft 365 login page.
Victims enter their passwords on the convincing phishing page, with Greatness pre-filling the correct email address. Acting as a proxy between the victim’s browser and the legitimate Microsoft 365 login page, the phishing platform handles the authentication flow to obtain a valid session cookie for the target account.
In cases where the targeted account has two-factor authentication, Greatness prompts the victim to provide the necessary code, simultaneously triggering a request on the real Microsoft service to send the one-time code to the victim’s device.
Once the victim provides the multifactor authentication (MFA) code, Greatness authenticates as the victim on the genuine Microsoft platform and transmits the authenticated session cookie to the affiliate via a Telegram channel or the service’s web panel. Attackers can then exploit this session cookie to gain unauthorized access to the victim’s email, files, and data within Microsoft 365 services.
Often, the stolen credentials are also utilized to breach corporate networks, facilitating more perilous attacks like ransomware deployment.
