Cloud security
Related Links

As bad actors become more sophisticated, so do the technologies and techniques they use. Recently, Bleeping Computer reported on a new phishing-as-a-service (PhaaS or PaaS) platform named Greatness. 

With this new technology, bad actors can now automate phishing campaigns with nothing more than an email list. Let’s explore how Greatness operates and outline the potential risks it poses to managed customers.

How does greatness work?

Greatness offers a complete phishing toolkit that enables hackers to automate the development of a phishing campaign.

Key components of the toolkit include:

  • MFA Bypass: Greatness has developed methods to bypass multi-factor authentication (MFA), making it easier for attackers to gain unauthorised access.
  • Attachment and Link Builder: The toolkit enables the creation of decoy login pages, complete with company logos and background images that closely resemble legitimate Microsoft 365 login pages.
  • Pre-populated Victim Emails: Greatness automates the process of pre-populating victim emails, making phishing campaigns appear more personalised and convincing.
  • IP Filtering: The toolkit incorporates IP filtering capabilities, allowing threat actors to target specific geographical regions or exclude certain IP addresses.
  • Integration with Telegram Bots: Greatness seamlessly integrates with Telegram bots, facilitating the secure transfer of stolen credentials to hackers.

Plug-and-play

Greatness sends professionally crafted emails to potential victims, enticing them to click on a link

The plug-and-play nature of the toolkit makes it easier than ever to launch a phishing campaign. By providing a list of targeted email addresses, attackers can rely on the toolkit to handle the rest, including domain reconnaissance and the setup of virtual server instances. It’s essentially an easy button for hackers.

Once configured, Greatness sends professionally crafted emails to potential victims, enticing them to click on a link. The email content is designed to appear legitimate, often luring recipients with urgent requests related to their Microsoft 365 accounts.

Microsoft 365 login

After a user clicks the link, they’re taken to a highly authentic-looking Microsoft 365 login page. The page is fully branded with their familiar company logo and colours, and the user’s email address is pre-populated. All of this provides the user with a high level of confidence that this is a legitimate request.

The package is sophisticated enough that if MFA is required, it will proxy back to Microsoft that there’s a login attempt occurring, which in turn will cause Microsoft to request MFA authorisation.

MFA authorisation

The user will authenticate because they think that they’re logging in to a real page, so they have no idea

The user will authenticate because they think that they’re logging in to a real page. After they authenticate, they’re brought right into Microsoft 365, so they have no idea that they’ve been phished.

Meanwhile, the hacker has the user’s credentials and tokens. What was initially a simple business email compromise (BEC) has grown into a fully-fledged Microsoft 365 account compromise.

What’s worse, if they’re in a federated network and their corporate logins are the same across the entire organisation, the hackers gain access to the entire company network. They look to find data, exfiltrate it, and launch a ransomware attack.

Consequences and Implications

The ramifications for your customers are severe. The stolen credentials grant hackers access to valuable corporate resources and sensitive information.

Some potential consequences include:

  • Financial Loss: BEC or wire fraud can lead to significant financial losses.
  • Reputational Damage: Successful phishing attacks can harm a company’s reputation, affecting relationships with clients, suppliers, and patients in industries like healthcare.
  • Legal Issues: Victims of data breaches may pursue litigation against compromised organisations, resulting in potential legal costs.
  • Productivity Loss: Dealing with the aftermath of a phishing attack can disrupt operations, leading to a loss of productivity.
  • HR Implications: Morale issues within the organisation may arise due to breaches, leading to possible personnel changes and associated costs.
  • External Communications: Organisations may need to manage external communications to address the incident and reassure customers, partners, and stakeholders.

Educating clients

To engage clients effectively, it’s crucial to present the implications of such attacks from a business perspective.

Key talking points include:

  • Business Impact: Highlight the potential consequences specific to the client’s industry, such as regulatory involvement, reputational damage, and business interruptions.
  • Incident Response Planning: Emphasise the importance of having an incident response plan in place to minimise damage and recover swiftly in the event of an attack.

How do SaaS Alerts help?

SaaS Alerts offer valuable assistance in identifying compromised accounts and taking proactive measures

Because prevention isn’t always foolproof, timely detection and response are critical in mitigating the impact of phishing attacks.

SaaS Alerts offer valuable assistance in identifying compromised accounts and taking proactive measures quickly.

Benefits of SaaS Alerts

The key benefits of SaaS Alerts include:

  • Geolocation Monitoring: SaaS Alerts can identify suspicious logins and activities originating from unauthorised regions, providing an early warning sign of a compromised account.
  • Account behaviour Analysis: By monitoring email rules, file activity, and unexpected changes in access permissions, SaaS Alerts can identify anomalies and suspicious behaviour associated with compromised accounts.
  • Automated Response: SaaS Alerts allow the creation of custom response rules, enabling automated actions to be taken when indicators of compromise are detected.

Cybersecurity

The use of advanced phishing kits, combined with sophisticated techniques, allows threat actors to compromise Microsoft 365 accounts more easily than ever before.

MSPS must prioritise cybersecurity measures, educate their clients about the risks of phishing attacks, and leverage tools like SaaS Alerts to enhance their detection and response capabilities in this ever-evolving threat landscape.

Learn why leading casinos are upgrading to smarter, faster, and more compliant systems

Related white papers
Milestone cloud deployment guide

Milestone cloud deployment guide

Download
Maximising enterprise security systems in the cloud

Maximising enterprise security systems in the cloud

Download
Using artificial intelligence (AI) to automate physical security systems

Using artificial intelligence (AI) to automate physical security systems

Download
Related articles
Looking back at 2020: Cloud systems expand in shadow of COVID

Looking back at 2020: Cloud systems expand in shadow of COVID
What is the cloud? (Can we all agree?)

What is the cloud? (Can we all agree?)
Which security markets are likely to embrace the cloud?

Which security markets are likely to embrace the cloud?