Wednesday, 10 May 2023 17:41

The Greatness Phishing as a Service Platform Intended to Make Targeting MS365 Easier

Written by

Reading time is around minutes.

There is an old saying that says, when you can no longer do, you teach. This might be a relatively true axiom in the regular world, but in the world of cybercrime it is certainly not what you find happening. Instead, we tend to see that when organized groups no longer want the headache and hassle of doing the heavy lifting for attacks, they just build a platform to sell their tools to others. We have seen ransomware as a service, malware as a service, malvertising as a service, and even phishing as a service.

It is this last category that we are concerned with in this article and one platform in particular. The platform’s name is Greatness, and it has become quite popular for targeting MS365 users in the US, Canada, UK, Australia, and South Africa. According to research from Cisco Talos, the platform launched in the middle of 2022 and has seen a rapid increase in activity between December 2022 and March of 2023. Talos also indicated that the majority of targets being in the US and include business verticals like real estate, finance, technology, education, healthcare and business services.

Would be phishers connect to the platform using an API key and provide it a list of targeted email addresses. From there the Greatness platform builds out the infrastructure needed for the campaign including hosts for the phishing landing page. All the client has to do is craft the email content and add any settings they want for the particular campaign.

The actual emails are nothing special in terms of phishing, there is an attachment (HTML) that executes an obfuscated JavaScript which reaches out to the server previously set up. This displays the fake login page that is intended to capture the user’s credentials. The Greatness platform will have already pulled the target company’s logo and any background image to make the phish feel even more realistic (the better looking the bait…). The landing page is not just for stealing credentials though. The page is a proxy between the user, and their own real login page for MS365. If the target falls for the phish and enters their credentials, the page captures the session cookie. It will even forward MFA requests between the login page and the target.

The platform will, after a successful authentication, send the authenticated session cookie to the client via a Telegram bot or can be found on the Greatness’ web panel. As session cookies are not eternal, the platform is built to inform them of their existence as soon as possible so they can be exploited if so desired. The Greatness is a rather sophisticated phishing service that allows smaller and less advanced groups to dive headfirst into the phishing world. It is a great product for phishing campaigns targeting smaller organizations as initial access. The attacker can then enter the environment, download a mailbox, craft a new phishing message and send it out to partners, vendors and even clients of the now compromised company.

Tools like Greatness, show us that proper security culture, good anti-phishing tools and monitoring of email accounts are no longer a nice thing to have, they are an absolute requirement in the modern business landscape.

Read 1397 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.