Researchers have uncovered a new modular phishing service called Greatness that is designed specifically to impersonate Microsoft 365 instances and allows affiliates to generate malicious links and attachments automatically and acts as an adversary in the middle to steal logins and bypass MFA protections.
The service emerged in the middle of last year and researchers at Cisco Talos who discovered the service have seen some big spikes of activity in the last few months, including major upticks in December and March. Apart from the hubris of the name, Greatness has some other interesting features, including the ability to auto populate the victim’s email address on the fake Microsoft 365 login page and generate the identical background for the page. The service consists of three separate pieces: a phishing kit deployed by each affiliate, an API for the service itself, and a Telegram bot and/or email address.
Like other Phishing-as-a-service (PaaS) setups, Greatness relies on affiliates, but much of the work goes on in the background. The phishing kit includes a user-facing control panel through which each affiliate can configure options such as the background of the fake login page and a feature that will automatically fill the victim’s email address on the page. Each affiliate is given a unique API key that allows them to connect to the backend service.
“The phishing kit, the service component delivered to affiliates and deployed on a server controlled by them, is the only part of the service the victim connects to. The kit delivers the HTML/JavaScript code for each step of the attack. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack,” Tiago Pereira of Cisco Talos said.
“As the victim submits their credentials to the kit, it stores them locally so they can be accessed via the administrative panel and, if configured to do so, sends them to the affiliate’s Telegram channel.”
The phishing campaigns begin with an email containing an HTML attachment. If a victim opens the attachment, it will then display the phishing login page, which mimics the victim’s Microsoft 365 environment. The login page will usually have the victim’s email address filled in already, and if the victim enters the password, Greatness uses the credentials to log in to the victim’s legitimate Office 365 service. If MFA is set up on the account, the service will send the victim a prompt for whatever MFA method is required.
Greatness will then grab the authentication session cookies and send them to the email address or Telegram channel setup by the affiliate. This PaaS only appears to target businesses, and specifically those that use Microsoft 365 for email and productivity.
“Working together, the phishing kit and the API perform a “man-in-the-middle” attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA. Authenticated sessions usually time out after a while, which is possibly one of the reasons the Telegram bot is used — it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting,” Pereira said.
Most of the organizations targeted by Greatness are in the United States and U.K., with some other victims spread across Canada, Brazil, and other countries.