A new Phishing as a Service tool dubbed “Greatness” has been discovered targeting US and global sectors with fake Microsoft 365 pages designed to steal login credentials. Here are the details of Greatness PhaaS, its capabilities, how it works, and how to protect yourself.
Greatness, a previously unreported PhaaS (Phishing as a Service) tool, was recently discovered in the wild and had been targeting innocent victims since last year. With some of the most advanced features, Greatness is focused on Microsoft 365 phishing pages and has targeted organizations and individuals in the US, UK, Australia, Canada, and South Africa. Join us as we share the details of the PhaaS tool and its capabilities.
Greatness PhaaS Unleashed: What is Greatness PhaaS?
Greatness is a PhaaS tool that threat actors can use as a service to carry out malicious phishing campaigns and target innocent individuals. As discovered by the researchers at Cisco Talos, the PhaaS tool has been in play since mid-2022, with a significant spike in its activity in December 2022 and again in March 2023.
Threat actors using Greatness PhaaS have been targeting manufacturing enterprises the most, followed by healthcare, technology, education, real estate, construction, and finance. The campaign is slightly different depending on the geographic region. Still, over 50% of Greatness PhaaS cases were observed in the US, followed by the UK, Australia, South Africa, and Canada.
The Capabilities of Greatness PhaaS
Greatness PhaaS is a sophisticated tool with three major components:
- Phishing Kit: A phishing kit service component that delivers HTML (HyperText Markup Language) and JavaScript code for each attack step with a PhaaS API (Application Programming Interface) in the background, an admin panel to configure the service API key, the Telegram bot, and tracking all stolen credentials. It has an Autograb feature that steals the victim’s email and background to display on the phishing page.
- Service API: The API contains all the logic and features that can validate any key, block unwanted IP (Internet Protocol) addresses, and communicate with the authentic Microsoft 365 login page posing as the victim. The service API also enabled Greatness PhaaS to steal usernames, passwords, and authenticated session cookies for MFA (Multi-Factor Authentication).
- Telegram Bot: Greatness PhaaS also has a telegram bot connected to a threat actor-controlled Telegram channel where all the victim’s activity, credentials, and MFA codes are sent.
Image sourced from upguard.com
Greatness Attack Campaign: How Does it Work?
Greatness PhaaS tool comes with everything a wannabe threat or phishing actor needs to carry out mass phishing campaigns. The attack with the Greatness PhaaS tool occurs in two stages:
1. Initial Contact
The attack starts with a malicious phishing email with an attached HTML file that comes as a shared document and leads the victims to the HTML page.
Fake Microsoft Page: Once the victim opens the page, the browser executes obfuscated JavaScript code and loads the phishing page in the browser window. The page contains the following:
- A blurred image of an Excel document.
- A spinning loader in the middle of the screen.
- The Microsoft logo to give the appearance that the page is loading.
This page redirects the user to a fake Microsoft 365 login page with the victim’s email address and a custom background used by the victim’s organization to make it more convincing.
2. MFA Bypass
Once the victim enters the password, Greatness PhaaS impersonates the victim to connect to Microsoft 365 and bypasses the MFA by prompting the victim to submit the MFA code via the fake HTML page. Once the code is received, the PhaaS tool sends it to the Telegram channel or directly through the web panel so the threat actor can use it to gain access to the authentic account.
How to Protect Against Greatness PhaaS?
Regardless of the targeted regions or sectors, it has been observed that Greatness Phishing as a Service tool only imitates Microsoft 365 login pages and not any other websites.
Suppose you receive any unsolicited email with an HTML attachment that appears as an image and redirects to the Microsoft login page. In that case, you should turn away, no matter how convincing the webpage looks. Threat actors are adept at using social engineering tactics such as creating urgency within the email, urging the victim to act quickly, sending reminders about the email, and so on.
It is recommended to keep an eye out for suspicious and alarming phishing emails and invest in an AI-enabled anti-phishing tool to flag such emails and protect the organization.
Final Words
PhaaS tools have become a nuisance for organizations and individuals alike, giving common and low-level threat actors the capability to carry out sophisticated phishing and data breach attacks and steal credentials at low rates. Great PhaaS is no joke and can damage any enterprise.
Individuals are advised to stay vigilant and adopt adequate phishing protection measures to protect against this new threat. It is crucial to keep themselves updated on the latest phishing campaigns so they understand how to avoid them.