A new Phishing-as-a-Service (PaaS) tool called Greatness is being used by cybercriminals to steal Microsoft 365 login credentials.
First detected in 2022, Greatness allows attackers to bypass security measures and has been continuously updated with evasion tactics.
As a result of its ability to save attackers time on development and provide advanced capabilities, it is gaining more and more popularity.
Law enforcement agencies are working to dismantle these services, with a recent takedown of LabHost.
Attackers are using QR vectors to target both employers and employees, and greatness is being used to compromise user accounts and steal login credentials.
Attack Flow Of Greatness PaaS Attacks
The Greatness phishing tool initially used malicious HTML attachments disguised as login pages.
Server-side validation determined if an error message or the phishing page would be shown, and after public exposure, attackers shifted to PDF files and URLs to bypass detection.
Captcha Evasion Display
Now, they use multi-layered evasion, including CAPTCHAs and QR codes in PDFs, to prevent automated analysis before the tool’s verification, which makes it difficult to stop attacks as they rely on publicly available information.
It employs obfuscated content, including dynamically loaded JavaScript libraries and Base64 encoded strings, to hinder analysis, implements anti-bot measures, and encrypts data using AES with a PBKDF2-derived key.
De-obfuscated Encryption Function
A JWT is generated with a Base64 encoded timestamp and used alongside encrypted data in AJAX requests.
Error handling is incorporated for various scenarios, including invalid data and failed requests.
The script utilizes a Telegram token and API key for security and redirects users based on specific parameters, and obfuscation techniques like Base64 encoding and string manipulation further complicate the analysis.
De-obfuscated Function Call
It leverages an Adversary In The Middle (AiTM) technique to bypass Multi-Factor Authentication (MFA), as the phishing kit steals credentials and intercepts the MFA prompt from the user, then relays the MFA information to the legitimate service and uses the session cookie to gain access while impersonating the victim.
Greatness primarily targets the United States financial services industry but has also been used against the manufacturing, energy, retail, and consulting sectors, where the phishing emails often contain a QR code that leads to amalicious link.
Detection Graph
Researchers at Trellix found malicious URLs that steal user credentials and some that lead to seemingly legitimate shared files or eFax pages, which highlights the evolving threat of Greatness, a tool used by cybercriminals to bypass security measures.
