Plug-and-Play Microsoft 365 Phishing Tool 'Democratizes' Attack Campaigns

New "Greatness" phishing-as-a-service used in attacks targeting manufacturing, healthcare, technology, and other sectors.

3 Min Read
someone holding a phone with Microsoft 365 pulled up in front of a Microsoft logo
Source: Igor Golovnov via Alamy Stock Photo

A previously unreported phishing-as-a-service (PaaS) tool allows even script kiddies to build compelling, effective phishing attacks against businesses.

Researchers at Cisco Talos detailed their findings on "Greatness," a one-stop-shop for all of a cybercriminal's phishing needs. With Greatness, anyone with even rudimentary technical chops can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials — even in the face of multifactor authentication (MFA) — and much more.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

"It's designed to be accessible," says Nick Biasini, head of outreach for Cisco Talos. "It democratizes access to phishing campaigns."

How Greatness Works

To a victim, Greatness will come in the form of an email with a link, or usually an attachment disguising an HTML page. Clicking on the attachment will open a blurred image of a Microsoft document behind a loading wheel, giving the impression that the file is loading. But the document never loads. Instead, the victim is redirected to a Microsoft 365 login page.

That might seem suspicious if not for the fact that the victim's email address, as well as their company's logo, are already pre-filled on the page, lending an air of legitimacy to the whole affair.

At this point, the man-in-the-middle scheme begins. The victim submits their password to 365, not knowing they're helping to log in their own attacker. Even if a victim has MFA implemented, it's no problem. 365 requests a code, the victim submits it, Greatness intercepts it, and the ruse continues. Greatness collects its authenticated session cookies and passes it on to the threat actor via Telegram or its admin panel.

It used to take time, effort, and coding to craft phishing attacks this convincing. With Greatness, all you have to do is fill out a form: title, caption, an image of an Excel spreadsheet to trick them with, and so on. Enabling the "autograb" feature automatically pre-fills the 365 login page with the victim's email address, according to Talos' findings.

"Basically you just pay, you get access to your API, and that's it," Biasani says. "You have to understand some basic things, like what API keys are, and how to apply it in the portal, but it's pretty, pretty user-friendly."

Why Greatness Works So Great

Because Greatness is so slick in presentation and so effortlessly bypasses MFA, simple awareness and cyber hygiene may not be enough to save an enterprise from its grasp.

One simple change organizations can make is to adjust cookie session timeouts. "Having a timeout value of, like, two weeks is not a good look in the threat landscape that we're looking at today," Biasani explains. He adds, though, that "the challenge is you also have a user base, and forcing people to use MFA every five minutes is not going to go over very well, either. So you're kind of sitting in that middle space: a security decision versus a usability decision. It's a very tough balance."

Where simple fixes won't solve the problem, more sophisticated security is required. "This is where you start getting into things like anomaly detection," he notes, "and location-based logins. Things like that. You're going to have to take your detection up a level."

Still, Biasani sees a silver lining. "To me, more than anything else, it shows that MFA actually works … because they're [attackers] really actively trying to do something to counter it now," he says. "MFA is hitting a point where they can't ignore it anymore."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights