Date: 11 May 2023

Threat Actor

Unknown

Description

The Phishing-as-a-Service (PhaaS) platform named 'Greatness' has seen a spike in activity as it targets organizations using Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa with many working in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services.

'Greatness' attacks

The Greatness Phishing-as-a-Service contains everything a wannabe phishing actor needs to conduct a campaign successfully.

To launch an attack, the user of the services accesses the 'Greatness' admin panel using their API key and providing a list of target email addresses. The PhaaS platform allocates the necessary infrastructure, like the server that will host the phishing page, as well as for generating the HTML attachment. The affiliate then crafts the email content and provides any other material or changes to the default settings as needed.

The service then emails the victims, who receive a phishing email with an HTML attachment. When this attachment is opened, an obfuscated JavaScript code is executed in the browser to connect with the 'Greatness' server to fetch the phishing page that will be displayed to the user.

The phishing service will automatically inject the target's company logo and background image from the employer's actual Microsoft 365 login page.

The victim only enters their password on the convincing phishing page, as Greatness pre-fills the correct email to create a sense of legitimacy. At this stage, the phishing platform acts as a proxy between the victim's browser and the actual Microsoft 365 login page, handling the authentication flow to obtain a valid session cookie for the target account.

If the account is protected by two-factor authentication, Greatness will prompt the victim to provide it while triggering a request on the real Microsoft service, so the one-time code is sent to the target's device. Once the MFA code is provided, Greatness will authenticate as the victim on the real Microsoft platform and send the authenticated session cookie to the affiliate via a Telegram channel or on the service's web panel.

Reference

https://www.bleepingcomputer.com/news/security/new-greatness-service-simplifies-microsoft-365-phishing-attacks/