In a threatening evolution of cybercrime, a new Phishing-as-a-Service (PaaS) tool called “Greatness” is wreaking havoc on Microsoft 365 users. It was first detected in 2022, and it is known for granting cybercriminals sophisticated features to steal the victim’s login credentials by bypassing security measures.
Imagine receiving an email from your bank. It looks legitimate, with a QR code that promises to lead to your statement. Scanning it, however, redirects you to a malicious login page—a typical attack vector used by Greatness. Initially, attackers used HTML attachments disguised as login pages but have since shifted to PDFs and URLs to evade detection.
Greatness employs sophisticated tactics like CAPTCHAs and QR codes in PDFs to evade automated analysis. Its obfuscated content dynamically loaded JavaScript libraries, and encrypted data using AES with a PBKDF2-derived key make it extremely challenging to analyze and block. Additionally, it generates a JWT with a Base64 encoded timestamp for secure AJAX requests, complicating the detection process.
Law enforcement is battling these threats, recently dismantling LabHost, a service supporting such activities. Yet, Greatness continues to thrive, especially in the US financial sector, which also targets the manufacturing, energy, retail, and consulting industries.
Greatness leverages an Adversary In The Middle (AiTM) technique to bypass Multi-Factor Authentication (MFA), intercepting and relaying MFA prompts to gain unauthorized access. Researchers at Trellix uncovered URLs leading to fake shared files or eFax pages, underlining the persistent threat.
The Greatness tool is not a one-time threat. It is an evolving menace that continually adapts to countermeasures. This underscores the importance of attention and robust security measures, which are paramount when it comes to preserving information from these sophisticated phishing attacks.
