RISKS

What happened

Phishing-as-a-Service (PhaaS) platforms have emerged as a troubling trend that enables hackers to launch sophisticated phishing campaigns at scale. “Greatness”, a newer PhaaS platform, has established itself as a prominent player since it launched in mid-2022, with activity spikes seen in December 2022 and March 2023.

Greatness provides a comprehensive suite of tools and services for cybercriminals, including creating convincing phishing emails, authentic-looking login pages, and fake websites. The platform provides customizable options, allowing users to tailor their campaigns to target specific organizations, even displaying company logos and background images extracted from the target organization’s actual Microsoft 365 login page. The fake login page also pre-fills the correct email address leaving the victim to only enter their password, making the phishing page both convincing and effective.

Users are provided a phishing kit that they can deploy using an API key to access the Greatness admin panel. According to a new report by Cisco Talos, “The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.”

The attack starts when a victim opens an HTML attachment, usually posing as a shared document, from a malicious email. When the attachment is opened the browser executes a JavaScript code which establishes a connection to the attacker’s server and obtains the phishing page HTML code that is displayed to the user as a blurred image with a spinning wheel, making it seem like the document is loading.

The victim is then redirected to a fake Microsoft 365 login page with their email address pre-filled. Once the password is submitted the PaaS platform connects to Microsoft 365 and attempts to login as the impersonated victim. The service can even prompt the victim to authenticate their account by using the multi-factor authentication (MFA) method requested by the authentic Microsoft 365 page, such as an SMS code or push notification.

The phishing platform acts as a proxy between the victim’s browser and the authentic Microsoft 365 page, allowing it to collect usernames, passwords, and authenticated session cookies if MFA is used, which are delivered to the affiliate’s Telegram channel or directly through the service’s web panel. With the authenticated session cookie, the attacker has access to the victim’s email and data in Microsoft 365 services.

Why is this important?

With features such as MFA bypass and IP filtering, Greatness’ phishing pages can be especially effective against businesses.

“The campaigns involving Greatness have primarily targeted manufacturing, healthcare, and technology companies in the United States, the United Kingdom, Australia, South Africa, and Canada,” Sonia Imam from stated in an article on Pure VPN. The consequences of falling victim to attacks within these sectors can have devastating effects for companies as well as their customers. Manufacturers and tech companies can face significant losses in both operations and revenue while healthcare breaches remain the most costly and can cause safety and identity risks for patients.

What does this mean to me?

If you’re a law firm, your firm’s data is under attack perhaps more than it ever has been. If you’re not a law firm, you’re relying on the law firm(s) you retain to protect your organization’s data. Many of them are failing to do so.

APPROACHES

Helpful Controls

Commonality of attack

High

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING