Connect with us

Hi, what are you looking for?



New ‘Greatness’ Phishing-as-a-Service Targets Microsoft 365 Accounts

A new phishing-as-a-service (PaaS) tool has been observed targeting businesses, mainly in the manufacturing, healthcare, technology, and real estate sectors.

For roughly a year, a new phishing-as-a-service (PaaS) offering has been used to target Microsoft 365 accounts in the manufacturing, healthcare, technology, and real estate sectors, Cisco’s Talos security team warns.

Dubbed ‘Greatness’, the service has been used in several phishing campaigns since mid-2022, mainly targeting organizations in the US, with other victims in the UK, Australia, Canada, and South Africa.

Only delivering Microsoft 365 phishing pages, Greatness provides affiliates with capabilities such as IP filtering, multi-factor authentication (MFA) bypass, and integration with Telegram bots.

PaaS affiliates are provided with tools to create convincing login pages featuring the targeted organization’s logo and background image, and which also have the victim’s email address pre-filled.

Affiliates are also provided with a phishing kit with an API key, which allows them to access more advanced features and which act as a proxy to Microsoft’s authentication system, stealing the victim’s credentials via a man-in-the-middle attack.

As part of a typical attack, the victim receives a malicious email containing an HTML attachment claiming to be a shared document.

When the attachment is opened, JavaScript code is executed to direct the browser to the attacker’s server and retrieve the phishing page which also contains a blurred image pretending to load the document.

Advertisement. Scroll to continue reading.

The victim is then redirected to the legitimate looking Microsoft 365 login page, where they are prompted to enter their credentials. In the background, the cybercrime service attempts to log in to the victim’s account using the provided credentials. The phishing page also asks for an MFA method if one is used.

The service uses the victim’s login information to complete the authentication process and collect the session cookies, which are sent to the PaaS affiliate via their Telegram channel.

During the attack, the victim connects to the Greatness phishing kit, which is deployed on the attacker-controlled server and which delivers the phishing page. The kit communicates with the PaaS API to forward the harvested credentials.

Through the phishing kit, the PaaS affiliates can configure service API keys and Telegram bots and track the stolen information.

Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies

Related: CISA Urges Organizations to Implement Phishing-Resistant MFA

Related: US Government Contractors Targeted in Evolving Phishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.