ANY.RUN🚨 𝗢𝗔𝘂𝘁𝗵 𝗧𝗼𝗸𝗲𝗻 𝗔𝗯𝘂𝘀𝗲 𝗜𝘀 𝗚𝗿𝗼𝘄𝗶𝗻𝗴: 𝗚𝗿𝗲𝗮𝘁𝗻𝗲𝘀𝘀 𝗥𝗲𝘁𝘂𝗿𝗻𝘀 𝘄𝗶𝘁𝗵 𝗗𝗲𝘃𝗶𝗰𝗲 𝗖𝗼𝗱𝗲 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴
We've identified renewed activity associated with the Greatness #PhaaS, which combines #AiTM and Device Code #Phishing to target Microsoft 365 Accounts.
⚠️ Device Code Phishing abuses Microsoft's legitimate device authorization flow to obtain access tokens without directly collecting passwords or MFA codes. This shifts risk from credential theft to token abuse, reducing traditional phishing indicators for SOC teams to detect and investigate.
❗️ Greatness promotes token- and cookie-based access to Microsoft 365 accounts through its Telegram channel, advertising passwordless and code-less account compromise scenarios.
Observed capabilities include:
🔹 Device Code Phishing for M365 token theft
🔹 Phishing templates impersonating DocuSign, OneDrive, Outlook, and Voicemail
🔹 Country-targeted login lures
🔹 Cloudflare-hosted phishing links
🔹 Keyword-based targeting engine
🔹 Centralized administration panel
👨💻 Review the analysis session, investigate the phishing flow, and validate detection coverage: https://app.any.run/tasks/dd97835c-8a07-4917-ba23-cb8d8493b174/?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_term=100626&utm_content=linktoservice
🔍 Track Device Code Phishing activity associated with Greatness and uncover related infrastructure in #ANYRUN TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_content=linktotilookup&utm_term=100626#%7B%22query%22:%22threatName:%5C%22greatness%5C%22%20and%20threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:180%7D
🚀 Strengthen phishing detection and accelerate response across your SOC with #ANYRUN: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_term=100626&utm_content=linktophishinglanding
