The Rise of Automated Threat Actors: Phishing as a Service by Greatness

As bad actors become more sophisticated, so do the technologies and techniques they use. Earlier this month, Bleeping Computer reported on a new phishing-as-a-service (PhaaS or PaaS) platform named Greatness. With this new technology, bad actors can now automate phishing campaigns with nothing more than an email list.

Let’s explore how Greatness operates and outline the potential risks it poses to your managed customers.

How Does Greatness Work?

Greatness offers a complete phishing toolkit that enables hackers to automate the development of a phishing campaign. Key components of the toolkit include:

1. MFA Bypass: Greatness has developed methods to bypass multi-factor authentication (MFA), making it easier for attackers to gain unauthorized access.
2. Attachment and Link Builder: The toolkit enables the creation of decoy login pages, complete with company logos and background images that closely resemble legitimate Microsoft 365 login pages.
3. Pre-populated Victim Emails: Greatness automates the process of pre-populating victim emails, making phishing campaigns appear more personalized and convincing.
4. IP Filtering: The toolkit incorporates IP filtering capabilities, allowing threat actors to target specific geographical regions or exclude certain IP addresses.
5. Integration with Telegram Bots: Greatness seamlessly integrates with Telegram bots, facilitating the secure transfer of stolen credentials to the hackers.

The plug-and-play nature of the toolkit makes it easier than ever to launch a phishing campaign. By providing a list of targeted email addresses, attackers can rely on the toolkit to handle the rest, including domain reconnaissance and the setup of virtual server instances. It’s essentially an easy button for hackers.

Once configured, Greatness sends professionally crafted emails to potential victims, enticing them to click on a link. The email content is designed to appear legitimate, often luring recipients with urgent requests related to their Microsoft 365 accounts.

After a user clicks the link, they’re taken to a highly authentic-looking Microsoft 365 login page. The page is fully branded with their familiar company logo and colors, and the user’s email address is pre-populated. All of this provides the user with a high level of confidence that this is a legitimate request.

The package is sophisticated enough that if MFA is required, it will proxy back to Microsoft that there’s a login attempt occurring, which in turn will cause Microsoft to request MFA authorization. The user will authenticate because they think that they’re actually logging in to a real page. After they authenticate, they’re brought right into Microsoft 365, so they have no idea that they’ve been phished.

Meanwhile, the hacker now has the user’s credentials and tokens. What was initially a simple business email compromise (BEC) has grown into a fully-fledged Microsoft 365 account compromise. What’s worse, if they’re in a federated network and their corporate logins are the same across the entire organization, the hackers gain access to the entire company network. They look to find data, exfiltrate it, and launch a ransomware attack.

Consequences and Implications

The ramifications for your customers are severe. The stolen credentials grant hackers access to valuable corporate resources and sensitive information. Some potential consequences include:

1. Financial Loss: BEC or wire fraud can lead to significant financial losses.
2. Reputational Damage: Successful phishing attacks can harm a company’s reputation, affecting relationships with clients, suppliers, and patients in industries like healthcare.
3. Legal Issues: Victims of data breaches may pursue litigation against compromised organizations, resulting in potential legal costs.
4. Productivity Loss: Dealing with the aftermath of a phishing attack can disrupt operations, leading to a loss of productivity.
5. HR Implications: Morale issues within the organization may arise due to breaches, leading to possible personnel changes and associated costs.
6. External Communications: Organizations may need to manage external communications to address the incident and reassure customers, partners, and stakeholders.

Educating Your Clients

To engage clients effectively, it’s crucial to present the implications of such attacks from a business perspective. Key talking points include:

1. Business Impact: Highlight the potential consequences specific to the client’s industry, such as regulatory involvement, reputational damage, and business interruptions.
2. Incident Response Planning: Emphasize the importance of having an incident response plan in place to minimize damage and recover swiftly in the event of an attack.

How SaaS Alerts Helps

Because prevention isn’t always foolproof, timely detection and response are critical in mitigating the impact of phishing attacks. SaaS Alerts offers valuable assistance in identifying compromised accounts and taking proactive measures quickly.

The key benefits of SaaS Alerts include:

1. Geolocation Monitoring: SaaS Alerts can identify suspicious logins and activities originating from unauthorized regions, providing an early warning sign of a compromised account.
2. Account Behavior Analysis: By monitoring email rules, file activity, and unexpected changes in access permissions, SaaS Alerts can identify anomalies and suspicious behavior associated with compromised accounts.
3. Automated Response: SaaS Alerts allows the creation of custom response rules, enabling automated actions to be taken when indicators of compromise are detected.

The use of advanced phishing kits, combined with sophisticated techniques, allows threat actors to compromise Microsoft 365 accounts more easily than ever before. It’s imperative for MSPs to prioritize cybersecurity measures, educate their clients about the risks of phishing attacks, and leverage tools like SaaS Alerts to enhance their detection and response capabilities in this ever-evolving threat landscape.