It is this last category that we are concerned with in this article and one platform in particular. The platform’s name is Greatness, and it has become quite popular for targeting MS365 users in the US, Canada, UK, Australia, and South Africa. According to research from Cisco Talos, the platform launched in the middle of 2022 and has seen a rapid increase in activity between December 2022 and March of 2023. Talos also indicated that the majority of targets being in the US and include business verticals like real estate, finance, technology, education, healthcare and business services.
Would be phishers connect to the platform using an API key and provide it a list of targeted email addresses. From there the Greatness platform builds out the infrastructure needed for the campaign including hosts for the phishing landing page. All the client has to do is craft the email content and add any settings they want for the particular campaign.
The actual emails are nothing special in terms of phishing, there is an attachment (HTML) that executes an obfuscated JavaScript which reaches out to the server previously set up. This displays the fake login page that is intended to capture the user’s credentials. The Greatness platform will have already pulled the target company’s logo and any background image to make the phish feel even more realistic (the better looking the bait…). The landing page is not just for stealing credentials though. The page is a proxy between the user, and their own real login page for MS365. If the target falls for the phish and enters their credentials, the page captures the session cookie. It will even forward MFA requests between the login page and the target.
The platform will, after a successful authentication, send the authenticated session cookie to the client via a Telegram bot or can be found on the Greatness’ web panel. As session cookies are not eternal, the platform is built to inform them of their existence as soon as possible so they can be exploited if so desired. The Greatness is a rather sophisticated phishing service that allows smaller and less advanced groups to dive headfirst into the phishing world. It is a great product for phishing campaigns targeting smaller organizations as initial access. The attacker can then enter the environment, download a mailbox, craft a new phishing message and send it out to partners, vendors and even clients of the now compromised company.
Tools like Greatness, show us that proper security culture, good anti-phishing tools and monitoring of email accounts are no longer a nice thing to have, they are an absolute requirement in the modern business landscape.