The Phishing-as-a-Service platform targeting Microsoft 365 customers

How does phishing-as-a-service (PhaaS) really work, and can it really bypass MFA? Here, we will walk you through the user interface of a PhaaS platform, and how its users can quickly build their own attacks using the built-in attack models and templates (and bypass MFA). For a layered approach, beyond MFA, we will introduce you to the benefits of using a threat intelligence solution to stay-ahead of emerging and advanced phishing attacks.

The PhaaS landscape

Software-as-a-Service (SaaS) has exploded over the past decade, allowing businesses to pay for the specialized software licenses they need without painful installations and lengthy, inflexible contracts. So why would the cybercrime industry be any different? Cybercriminals have also adopted the ‘as-a-service’ model, diversifying, and specializing, then selling their expertise to others. This has lowered the barrier of entry to cybercrime, as now non-technical threat actors can purchase everything they need for an attack. 

Nowhere is this industrialization of cybercrime more pronounced than phishing – the leading cyber-attack infection vector according to IBM’s 2023 Threat Intelligence Index. The emergence of ‘Phishing-as-a-Service, or PhaaS, involves experienced threat actors developing the code and managing the infrastructure to launch phishing campaigns, then selling it on to less experienced attackers. Just like legitimate SaaS businesses, there are different monetization strategies, including licenses, subscriptions, and payment based on results (in the case of PhaaS, the amount of credentials stolen).  

To illustrate how PhaaS service works, our Threat Intelligence team, KrakenLabs, provides a detailed walkthrough of a PhaaS provider known as ‘Greatness’ including how its phishing kit can be deployed. The findings from this analysis, as well as Outpost24’s comprehensive threat hunting infrastructure, are built into Threat Compass, our cyber threat intelligence solution. Threat Compass covers a broad range of threats on the market and can also help protect your business against targeted phishing attacks through its domain protection module.  

Deep dive into a PhaaS service: ‘Greatness’  

Greatness is a phishing tool, that has been in the wild since (at least) November 2022, and used to obtain credentials and cookies to access Microsoft 365 accounts. Among its capabilities, it offers the ability to deal with accounts with multi-factor authentication (MFA) enabled.  

The Greatness platform

Let’s take a look at the various user-friendly components a buyer can use to craft a successful phishing attack. 

Greatness login form 

Like any SaaS application, the user is set up with a license and login credentials after they have submitted their payment. To get started, the user is directed to an admin panel where they enter their password to log into the platform. 

Greatness login form
Greatness login form 

Dashboard 

Once logged in, the main page is the Results Dashboard. Here, the operator of the phishing campaign will see the different credentials that have been captured, and be able to measure the returns on their investment in Greatness.  

Greatness Dashboard
Greatness Dashboard 

Campaign builder 

The Greatness ‘office page’ contains the main functionality of the product. It acts as a builder where users can create different types of attacks. For example, the attacker might want to create a phishing email containing a link that opens the victim’s browser and takes them to a fake credential-harvesting login page. Or they may prefer to include a malicious attachment that downloads malware when opened.  

The tool allows the user to generate different attack models or templates to speed up future phishing campaigns. In all cases, the result will be an html file with the desired characteristics, designed to either to be sent as an attachment (html attachment options) or hosted (link-based options) in a fraudulent URL. 

Greatness phishing page styles
Greatness phishing page styles 

An example of a fraudulent invoice is shown in the following figure. The generated HTML file looks like a blurred office document with a Microsoft login form overlayed, asking for credentials to view it. The builder offers other options too, such as the ability to modify the background so it looks like other kinds of files, such as Word or PDF documents. It also has an ‘autograb’ function, which allows attackers to set the target account in advance, meaning the victim only has to enter the password and making it appear more believable. 

Greatness fake tax invoice
Greatness fake tax invoice 

Once the victim has entered the password, the tool will try to check if the account in question has a multi-factor authentication (MFA) method enabled. If so, it will then ask for the corresponding input, whether that’s a code sent by SMS or an OTP. Then, it will use Microsoft’s API to obtain a valid session cookie.  

The office page also offers a series of configuration options. The first option is to check server status, as in order to work, the Greatness phishing kit must have a valid license key and must be able to check it against a central server. It also allows the upload of a new configuration file (named httpd.grt), and an option to block access by IP.

Greatness office page settings
Greatness office page settings 

Settings page 

Greatness settings page
Greatness settings page 

The last part of the Greatness panel is the settings page. Here, the threat actor can configure the panel display name, password, and more importantly, alternative ways to recover the stolen credentials. The Greatness panel has the capability of sending the results by a Telegram bot, by email, or both. Its settings page also shows the client API key necessary for the phishing kit to work.

How does Greatness protect itself from theft? 

As we have seen in the first figure, the Greatness panel requires a password to operate. But it’s the client who hosts the panel, so how do they prevent these clients from simply stealing the source code? The first mechanism we find is heavy obfuscation of the source code. Similar to some commercial software, we find the source code heavily obfuscated in an attempt to make it difficult to see how it works and prevent it from being easily copied. 

Obfuscated source code
Obfuscated source code

Obfuscation is not the only protection mechanism.  When a generated HTML phishing file is opened, it sends a request to the central server in order to check if the API key is valid. It will then send the proper HTML code to continue with the attack if the API key is the right one. If it’s not, instead of the phishing page, the central server will just send “no” and the below page will be rendered. 

Incorrect API key error message
Incorrect API key error message 

The location of this “central server” is defined in the httpd.grt file, as we can see after de-obfuscating the source code. They also try to hide the address of the server by obfuscating the configuration file, encoding the corresponding entry using a series of techniques to make it difficult to spot. This server may change between different installations and over time. 

central server’s unencrypted function.
Central server’s unencrypted function. 

Staying one step ahead of PhaaS providers 

The Greatness phishing kit is an example of the evolution in the never-ending game of phishing. As time passes, increasingly powerful tools designed to bypass the protections offered by MFA appear in the wild, and business models such as PhaaS put them in the hands of anyone willing to pay the price, regardless of their knowledge and skills.  

However, this development has introduced new restrictions on the developers, such as the need to be able to control licenses, opening new doors for threat intelligence analysts when researching threat actor activity and detection. 

Mitigating this kind of attack involves following a series of best practices. On the one hand, we have the proactive side which includes end-user training to help employees recognize common patterns in phishing attacks. Businesses can also perform phishing simulated exercises to obtain metrics and further improve awareness. 

From the reactive side, one solution that has proven effective is monitoring the location from which a user has successfully logged in. Strange events within a user’s pattern, such as logging in from distant locations within a short period of time or connecting through a proxy/VPN can be a strong indication that the credential has been compromised. 

Threat Compass offers protection and mitigation against this threat with its module approach. The Dark Web module provides increasing situational awareness of what is going on in the underground and what kind of actors could be targeting your organization. You can consult detailed intelligence on threat actors and the tools they use in Threat Context. With the Domain Protection module, we also monitor the use of fraudulent domains either to steal data or to damage brand image. 

About KrakenLabs

KrakenLabs is Outpost24’s Cyber Threat Intelligence team. Our team helps businesses stay ahead of malicious actors in the ever-evolving threat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting infrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business detect and deter external threats. 

About the Author

Adrian Del Prado author
Adrian Del Prado Threat Intelligence Analyst, Outpost24

Adrián is a Threat Intelligence Analyst in Outpost24's KrakenLabs department. He is interested in offensive cybersecurity, the APT landscape and programming of weird machines. CTF player.