A new phishing tool called “Greatness” has been discovered and deployed in various phishing campaigns since mid-2022. Security researchers identified several features commonly found in advanced phishing-as-a-service (PaaS) offerings like multi-factor authentication (MFA) bypass, IP filtering, and integration with Telegram bots. Greatness specifically targets victims through Microsoft 365 phishing pages and provides affiliates with an attachment and link builder to create convincing decoy and login pages. The targeted victims primarily consist of companies in the US, UK, Australia, South Africa, and Canada, with manufacturing, healthcare, and technology sectors being the most targeted.
The attack starts with a malicious email containing an HTML attachment. The attached HTML file executes JavaScript code that connects to the attacker’s server when opened. It retrieves a phishing page, which appears in the same browser window. The victim is redirected to a Microsoft 365 login page with a pre-filled email, company logo, and background image. Upon entering the password, the phishing service impersonates the victim and attempts to log in, even handling multi-factor authentication. The authenticated session cookies are then sent to the attacker via Telegram or the web panel. Greatness requires affiliates to deploy a provided phishing kit with an API key, enabling even unskilled threat actors to exploit its advanced features. The kit and API act as a proxy to the Microsoft 365 authentication system, conducting man-in-the-middle attacks to steal victims’ authentication credentials or cookies.
To protect against Greatness phishing campaigns, be cautious of suspicious emails, utilize anti-phishing tools, enable multi-factor authentication, verify website authenticity, provide employee training, keep software updated, and have an incident response plan. Check out the Indicators of Compromise (IOCs) for Greatness here: https://github.com/Cisco-Talos/IOCs/blob/main/2023/04/new-phishing-as-a-service-tool-greatness-already-seen-in-the-wild.txt