A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
An analysis of the domains targeted in several ongoing and past campaigns revealed the victims were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, and the most commonly targeted sectors were manufacturing, health care and technology. The exact distribution of victims in each country and sector varies slightly between campaigns.
To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.
