New ‘Greatness’ service simplifies Microsoft 365 phishing attacks

The Phishing-as-a-Service (PhaaS) platform named ‘Greatness’ has seen a spike in activity as it targets organizations using Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa.

The Microsoft 365 cloud-based productivity platform is used by many organizations worldwide, making it a valuable target for cybercriminals who attempt to steal data or credentials for use in network breaches.

In a new report by Cisco Talos, researchers explain how the Greatness phishing platform launched in mid-2022, with a spike in activity in December 2022 and then again in March 2023.

Most victims are located in the United States, with many working in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services.

Percentages of victims of Greatness-backed attacks
Percentage of victims of Greatness-backed attacks (Cisco)

‘Greatness’ attacks

The Greatness Phishing-as-a-Service contains everything a wannabe phishing actor needs to conduct a campaign successfully.

To launch an attack, the user of the services accesses the ‘Greatness’ admin panel using their API key and providing a list of target email addresses.

The PhaaS platform allocates the necessary infrastructure, like the server that will host the phishing page, as well as for generating the HTML attachment.

The affiliate then crafts the email content and provides any other material or changes to the default settings as needed.

Email attachment builder
Email attachment builder (Cisco)

The service then emails the victims, who receive a phishing email with an HTML attachment. When this attachment is opened, an obfuscated JavaScript code is executed in the browser to connect with the ‘Greatness’ server to fetch the phishing page that will be displayed to the user.

The phishing service will automatically inject the target’s company logo and background image from the employer’s actual Microsoft 365 login page.

Phishing page generated by Greatness
Phishing page generated by Greatness for a Cisco Talos employee (Cisco)

The victim only enters their password on the convincing phishing page, as Greatness pre-fills the correct email to create a sense of legitimacy.

At this stage, the phishing platform acts as a proxy between the victim’s browser and the actual Microsoft 365 login page, handling the authentication flow to obtain a valid session cookie for the target account.

The platform's functional diagram
The platform’s functional diagram (Cisco)

If the account is protected by two-factor authentication, Greatness will prompt the victim to provide it while triggering a request on the real Microsoft service, so the one-time code is sent to the target’s device.

Phishing page prompts the victim to enter a one-time code
Phishing page prompts the victim to enter a one-time code​​​​ (Cisco)

Once the MFA code is provided, Greatness will authenticate as the victim on the real Microsoft platform and send the authenticated session cookie to the affiliate via a Telegram channel or on the service’s web panel.

“Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used – it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting,” explains Cisco.

From there, the attackers can use this session cookie to access a victim’s email, files, and data in Microsoft 365 services. 

In many cases, the stolen credentials are also used to breach corporate networks, leading to even more dangerous attacks, such as the deployment of ransomware.