Greatness PhaaS Analysis, Overview by ANY.RUN

Inside Greatness: The Phishing-as-a-Service Platform Turning MFA Into a False Sense of Security

Key Takeaways

Greatness is a rentable crime kit, not a one-off malware sample. For roughly $120/month, it gives low-skill attackers an MFA-bypassing, brand-accurate Microsoft 365 phishing platform.
It defeats MFA by relaying it, not breaking it. Greatness's adversary-in-the-middle design captures live session cookies after a real MFA exchange, meaning standard MFA alone is not a complete defense.
Businesses are the near-exclusive target. Victimology consistently points to manufacturing, healthcare, technology, and document-heavy industries across the U.S., U.K., Australia, South Africa, and Canada.
The lure keeps evolving to dodge filters. Greatness has shifted from HTML attachments to PDF files with embedded QR codes and direct links specifically to outrun email security improvements.
Exfiltration is built for speed. Stolen credentials and session cookies are pushed to attackers via Telegram in real time, because authenticated sessions can expire quickly.
Static indicators alone won't catch it. Because Greatness validates API keys server-side and serves decoy pages to suspected analysis environments, detection needs behavioral and sandbox-driven intelligence, not just blocklists.
Proactive intelligence closes the gap between exposure and detection. ANY.RUN's Threat Intelligence Lookup lets analysts hunt down Greatness-linked domains, infrastructure, and behavioral patterns through live sandbox data — often before public advisories surface them.

Greatness domain with related IOCs and sandbox detonations Greatness domain with linked IOCs and sandbox detonations

Threat Intelligence Feeds push those indicators automatically into SIEM, SOAR, and firewall defenses, keeping protection current without constant manual tracking.

What is Greatness Malware?

Greatness is a phishing-as-a-service (PhaaS) toolkit designed to help cybercriminals create and operate convincing Microsoft 365 credential-harvesting campaigns. Researchers first publicly documented Greatness in 2023, though activity linked to the platform had been observed since at least mid-2022. The service focused on Microsoft 365 users and included features commonly associated with more mature phishing operations:

A phishing-link and attachment builder for affiliates;
Branded Microsoft 365 login templates;
Victim email pre-population, making phishing pages look more personalized;
Company logo and background retrieval to imitate the victim’s organization;
IP-based filtering to hide malicious content from analysts and unwanted visitors;
Telegram bot integration for rapid delivery of stolen credentials;
MFA bypass capabilities, often associated with adversary-in-the-middle phishing flows;
Redirect logic that sends victims to legitimate pages after credential capture.

This combination lowers the technical barrier for phishing operators. An affiliate does not need to build a credential-harvesting site from scratch or manually collect submissions. Greatness turns phishing into a service pipeline: lure, capture, notify, exploit.

Unlike traditional malware that must be installed on a device, Greatness attacks the identity layer. Its goal is to capture corporate Microsoft 365 credentials and session data, then hand attackers the keys to email, cloud storage, collaboration tools, and potentially much more.

For businesses, this makes Greatness especially dangerous. One successful phishing page can become the first domino in a business email compromise (BEC) scheme, data theft incident, invoice fraud campaign, or broader cloud compromise.

Once an affiliate buys access, they get an "Office Page" builder that creates deceptive emails, HTML/PDF attachments, or malicious links, all wrapped in obfuscated JavaScript designed to slip past spam filters and static scanners. The signature feature is its "Autograb" capability — when a target opens the lure, Greatness automatically pre-fills their email address and renders the real background image and company logo lifted from the target organization's actual Microsoft 365 login portal. The result looks less like a generic phishing page and more like the victim's own employee login screen.

Behind the scenes, Greatness functions as a proxy. It sits between the victim and the genuine Microsoft 365 authentication service, relaying credentials and, critically, intercepting one-time MFA codes in real time. This adversary-in-the-middle design is what separates Greatness from older, simpler credential-harvesting kits — it doesn't just steal a password, it can walk away with a live, authenticated session.

ANY.RUN Interactive Sandbox lets analysts view a Greatness sample detonation session, investigate the phishing flow, and validate detection coverage.

View analysis

Greatness detonated in Interactive Sandbox

How Greatness Threatens Businesses and Organizations

Greatness is built almost exclusively to target organizations, not individual consumers, and the damage from a single successful capture can cascade well beyond one stolen password:

Account takeover with MFA bypassed. By relaying MFA prompts and capturing the resulting session cookie, Greatness can hand an attacker a fully authenticated session — sidestepping the very control most businesses rely on to stop credential phishing.
Business email compromise (BEC). A compromised Microsoft 365 account gives attackers a foothold to launch invoice fraud, payroll diversion, or further internal spear-phishing using a trusted identity.
Lateral movement and follow-on attacks. Stolen corporate credentials are frequently reused to pivot into VPNs, cloud apps, and internal systems, often as a precursor to ransomware deployment.
Data exposure and compliance fallout. Access to a Microsoft 365 mailbox or OneDrive/SharePoint account can expose sensitive customer, financial, or employee data, triggering regulatory and breach-notification obligations.
Low barrier, high volume. Because Greatness requires no real technical skill to operate, it scales the number of capable attackers targeting any given business — increasing the odds that an employee receives a convincing lure.
Brand and trust damage. Because each phishing page is branded with the victim organization's own logo and login background, successful campaigns can implicate the targeted company's brand in the eyes of partners or customers who receive follow-on attacks from compromised accounts.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Victimology: Who Is Most at Risk?

Geographically, victims have been concentrated in the U.S., U.K., Australia, South Africa, and Canada, with the United States accounting for the majority of observed victims.

By sector, the most frequently targeted industries include:

Manufacturing — consistently identified as the most targeted sector across analyzed campaigns.
Healthcare — repeatedly ranked among the top targeted sectors, valued for sensitive patient data and often-stretched IT security resources.
Technology — attractive due to high-value intellectual property and frequent third-party integrations.
Real estate, education, construction, finance, and business services — all named among industries affected in Cisco Talos's analysis of victim sectors.

What unites these sectors isn't necessarily weak defenses — it's that they all rely heavily on Microsoft 365 for daily operations, exchange large volumes of attachments and invoices with external parties (making urgent-document lures more believable), and often have distributed, less centrally monitored email environments (multiple offices, franchises, or job sites). Any organization that fits this profile — heavy M365 reliance, high attachment/document throughput, and a broad employee base outside a tightly monitored HQ — should consider itself a plausible target regardless of size.

The Evolution of Greatness and Notable Activity

Mid-2022 — Quiet emergence. Greatness began operating without public reporting, building out its phishing-kit infrastructure and AiTM API.
Late 2022 / early 2023 — First wave and public disclosure. Activity spiked in December 2022 and again in March 2023, and in May 2023, Cisco Talos and BleepingComputer published the first detailed public advisories, exposing Greatness's MFA-bypass capabilities, IP filtering, and Telegram integration.
2023 — HTML attachment era and security community tracking. Researchers (Hornetsecurity, Sucuri, and others) documented Greatness phishing kits hidden on compromised legitimate websites, often buried deep in website file structures to evade detection, with thousands of associated phishing pages surfacing in URLScan results.
Late 2023 into 2024 — Surge and tooling upgrade. Trustwave SpiderLabs tracked a renewed spike in activity from December 2023 into January 2024, coinciding with a kit update in early January 2024 that added customizable email elements (sender names, subjects, attachments, QR codes) and stronger anti-detection measures like header randomization and improved obfuscation.
2024 — Delivery method shift. Trellix research tracked a strategic move away from pure HTML attachments toward PDF lures containing QR codes and direct embedded URL links — a shift aimed at evading email security tools that had adapted to flag HTML attachments. Lures observed in this period impersonated compensation policy reviews, SharePoint document-sharing notifications, employee benefits documents, and DocuSign agreement requests.
2024–2025 — Sustained relevance among AiTM kits. Despite the rise of newer AiTM platforms like Tycoon 2FA and EvilProxy, threat-intelligence tracking shows Greatness and NakedPages remaining among the most prevalent AiTM phishing kits through 2024 and into early 2025, with the broader AiTM ecosystem increasingly adopting HTML attachments that execute JavaScript directly and, in early 2025, malicious SVG attachments as a redirect mechanism.

Unlike single-incident malware families with one headline breach, Greatness's notability comes from its persistence and adaptability as infrastructure — it has remained a working, maintained criminal product for multiple years, continuously updated to outrun detection while powering an unknown but clearly large number of individual business compromises across multiple campaigns and affiliates.

How Genesis Gets Into Systems and Spreads

Greatness does not usually “infect” a system in the conventional malware sense. It reaches victims through phishing and attempts to compromise their cloud identity.

Initial delivery

Common delivery methods include:

Phishing emails containing malicious links;
HTML attachments that redirect victims to phishing pages;
Fake shared-document notifications;
Messages impersonating Microsoft 365, IT teams, vendors, or business partners;
Lures themed around invoices, voicemail alerts, secure documents, account warnings, and password expiration.

The toolkit reportedly includes builders that help affiliates create malicious links and attachments, allowing campaigns to be adapted quickly to a chosen target or theme.

Credential capture

When a victim opens the lure, they are directed to a fraudulent Microsoft 365 login page. Greatness can tailor the page by pre-populating the victim’s email address and retrieving organization-specific branding. This makes the page feel less like a generic trap and more like a familiar corporate login flow.

Expansion after account compromise

Once an account is compromised, attackers may expand their access through the cloud environment rather than through self-replicating code. Possible follow-on actions include:

Searching mailboxes for invoices, payment instructions, and sensitive documents;
Creating inbox rules to hide security alerts or payment-related messages;
Sending phishing emails from the compromised mailbox;
Impersonating the victim in Teams or email;
Targeting suppliers, customers, and internal contacts;
Attempting to register additional MFA methods or establish persistent access;
Using stolen information to conduct BEC, fraud, or further social engineering.

In short, Greatness spreads through trust. A stolen account can become a new phishing platform, a reconnaissance source, and a fraud channel.

How Greatness Functions

At its core, Greatness operates as a real-time adversary-in-the-middle (AiTM) proxy between the victim and Microsoft's actual authentication servers, rather than a simple static fake-login-page kit. Its functional components:

The Phishing Kit / Admin Panel: Deployed by the affiliate, this is the only component the victim ever touches directly. It serves the HTML/JavaScript for each step of the attack and lets the affiliate configure their API key, Telegram bot, target lists, and lure templates, while logging stolen data locally.
The Service API: The operational core. It validates affiliate API keys (a phishing page won't even load without a valid key), applies IP-based access restrictions to dodge researchers and sandboxes, and — most importantly — handles the live, behind-the-scenes communication with Microsoft's genuine login endpoint.
The Authentication Relay (AiTM): Once the victim submits a password, the API uses it to authenticate against the real Microsoft 365 service in real time, posing as the victim. If MFA is enabled, the legitimate Microsoft service sends a one-time code to the real user, who is then prompted by the fake page to enter it — the API immediately relays this code back to Microsoft to complete authentication, capturing a fully valid, authenticated session cookie in the process.
Exfiltration via Telegram: Once a session cookie or credential set is captured, it's pushed instantly to the affiliate's Telegram channel (or the web admin panel) — a design choice driven by the fact that authenticated sessions can time out quickly, so speed of notification directly affects how usable the stolen access remains.
Obfuscation and anti-analysis: Source code is heavily obfuscated to deter cloning and reverse engineering, configuration files that point to the central server are encoded, and the kit can serve a fake "invalid API key" or denial page instead of phishing content when it detects scrutiny.

The net effect: Greatness doesn't just collect a username and password sitting in a database somewhere — it actively hijacks the login process itself, in real time, making MFA an incomplete defense on its own.

How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against Greatness

Threat intelligence can help organizations move from reactive detection to proactive defense.

ANY.RUN’s Threat Intelligence Lookup supports rapid triage of suspicious links, domains, hashes, IP addresses, and other observables. Analysts can pivot from a single phishing artifact to related infrastructure, behavioral evidence, and historical context.

For example, when an analyst encounters a suspicious Microsoft 365-themed URL, they can use TI Lookup to determine whether it is associated with known phishing infrastructure, identify linked indicators, investigate similar samples, and prioritize containment. This helps teams move from “this email looks suspicious” to “this is likely part of a known credential-theft operation” with more confidence.

Use Threat Intelligence Lookup to find more fresh Greatness sandbox analyses, gather IOCs, observe kill chains, and follow the PhaaS’s evolution:

threatName:"greatness" and threatName:"oauth-ms-phish".

Greatness sandbox analyses found in TI Lookup

ANY.RUN’s Threat Intelligence Feeds can help security teams ingest fresh indicators and behavioral context into security controls and workflows. For Greatness-related activity, teams can use feeds to enrich detection and blocking across:

Secure email gateways,
SIEM and SOAR platforms,
EDR and XDR tools,
DNS filtering and secure web gateways,
Firewalls and proxy controls,
Threat-hunting platforms.

Relevant intelligence may include malicious domains, URLs, IP addresses, phishing-page paths, file hashes, redirect infrastructure, and related behavioral indicators. Freshness matters because phishing infrastructure can rotate quickly, sometimes faster than manual blocklist updates.

TI Feeds benefits and integrations

Additional defensive measures:

Organizations should combine intelligence-led detection with identity and email security controls:

Deploy phishing-resistant MFA. Prefer FIDO2 security keys, passkeys, or certificate-based authentication where possible. These approaches are more resilient to many real-time phishing and adversary-in-the-middle attacks than SMS or push-based MFA.
Use conditional access policies. Restrict access based on device health, geographic anomalies, risky sign-ins, impossible travel, and unfamiliar locations.
Monitor for suspicious cloud identity events. Alert on new MFA method registration, unfamiliar OAuth consent, anomalous mailbox forwarding rules, unusual sign-in patterns, and risky session activity.
Strengthen email authentication. Configure and enforce SPF, DKIM, and DMARC to reduce domain spoofing and improve visibility into unauthorized email use.
Inspect HTML attachments and redirect chains. Many phishing campaigns rely on simple-looking attachments or multi-stage redirects that evade basic filtering.
Train users around business-context lures. Awareness training should focus on realistic scenarios: document-sharing notices, vendor invoices, payment changes, voicemail alerts, and Microsoft 365 sign-in prompts.
Reduce account privileges. Apply least privilege and separate administrative accounts from daily email accounts.
Prepare an account-takeover playbook. Define fast-response actions: revoke sessions, reset passwords, remove malicious MFA methods, inspect mailbox rules, review OAuth grants, search for internal phishing, and notify affected partners if necessary.

Integrate ANY.RUN’s threat intelligence solutions in your company

Conclusion

Greatness demonstrates how phishing has evolved from a low-effort nuisance into a service-driven identity-compromise industry. Its operators and affiliates do not need to deploy ransomware or custom malware to create serious business damage. A convincing Microsoft 365 login page, captured credentials, and a stolen session can be enough to expose sensitive data, enable payment fraud, and compromise trusted business communications.

Defending against Greatness requires more than teaching users to spot bad emails. Organizations need visibility into phishing infrastructure, cloud identity events, suspicious mailbox behavior, and the fast-changing indicators that connect isolated alerts to active campaigns.

The strongest approach combines phishing-resistant authentication, layered email defenses, cloud monitoring, incident-ready identity controls, and actionable threat intelligence that helps teams recognize Greatness-style infrastructure before it turns into a business incident.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.