What Is Greatness?

Greatness is a Phishing-as-a-Service (PhaaS) platform offering Adversary-in-the-Middle (AiTM) reverse proxy capabilities, specifically designed to target Microsoft 365 and Gmail business accounts. First documented by Cisco Talos in May 2023 but believed to have been active since at least mid-2022, it enables cybercriminals with minimal technical expertise to launch large-scale credential harvesting campaigns with multi-factor authentication (MFA) bypass capabilities (Cisco Talos, 2023). Greatness charges approximately $120 per month for platform access and is operated by threat actor Storm-1295 and affiliated partners. Storm-1295 offers synchronous relay services to other attackers through an affiliate and reseller model, according to Microsoft threat intelligence reporting.

How Does Greatness Work?

AiTM Reverse Proxy Operation

Greatness operates as a man-in-the-middle proxy, positioning itself between the victim and the legitimate cloud service including Microsoft 365 or Gmail according to Cisco Talos and KnowBe4.

MFA bypass through real-time interception follows six steps. Credential capture phase occurs when victim enters username and password on phishing page generated by Greatness. MFA detection sees the platform query victim's account to determine if MFA is enabled. Code interception prompts victim for additional credentials and authentication codes when MFA is detected. Live relay uses Microsoft's APIs or direct interception where Greatness captures the MFA code from SMS, TOTP, or push notification. Authentication completion sees the platform simultaneously relay victim's MFA response to the legitimate Microsoft 365 service, obtaining a valid session cookie. Session hijacking provides attacker with full account access using valid session tokens.

Phishing page customization includes pre-filled email where phishing pages pre-populate victim's email address gathered from email list or OSINT. Branding cloning automatically extracts and replicates target organization's logo from Microsoft 365 login page. Background images are extracted from legitimate M365 login page and embedded in phishing page for authenticity.

Attack Delivery Chain

The attack typically begins when the victim receives a malicious email containing an HTML file attachment, often disguised under the pretext of a shared document according to Cisco Talos. When the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes a connection to the attacker's server, retrieves the phishing page HTML code, and displays it to the user in the same browser window (Cisco Talos, 2023). This HTML attachment approach helps evade URL-based email filtering because the malicious content is loaded dynamically rather than linked directly.

Operational Infrastructure

Operational infrastructure includes attachment and link builder with integrated tools to generate convincing phishing emails with malicious attachments or links, with an "Autograb" option that prefills the Microsoft 365 login page with the victim's email address to add credibility. Template library provides pre-built phishing templates for Microsoft 365, Gmail, and other cloud services. Credential verification performs real-time validation of captured credentials against legitimate service. Telegram bot integration allows threat actors to receive stolen credentials and session cookies via Telegram bot notifications, enabling rapid action before session timeouts expire (Cisco Talos, 2023). Operators can also configure alternate credential delivery via additional email accounts.

How Does Greatness Compare to Other Platforms?

Against Tycoon 2FA, Tycoon is ranked #1 AiTM platform in 2024-2025 with more sophisticated MFA bypass and higher prevalence, while Greatness is ranked #3 in top PhaaS platforms in 2024 with simpler operation, lower cost at $120/month versus competitive pricing, and strong Microsoft 365 focus. Compared to EvilProxy, both target cloud services with MFA bypass. EvilProxy has earlier market entry with more sophisticated social engineering and higher pricing, while Greatness offers lower barrier to entry, simplified template-based approach, and accessibility to less-skilled operators. Against Evilginx, Evilginx is an open-source framework requiring technical setup and offering customization, while Greatness is fully managed PhaaS with plug-and-play deployment and minimal technical expertise needed. Compared to NakedPages, NakedPages is ranked higher overall at #4 in top PhaaS and #3 in AiTM with more evasion techniques including 9 sequential redirects and longer operational history, while Greatness is more narrowly focused on Microsoft 365 with simpler architecture, lower cost, and newer market entry.

Top PhaaS Platforms 2024 Ranking: 1. Caffeine, 2. Tycoon 2FA, 3. Greatness, 4. NakedPages, 5. Dadsec according to Sekoia.io and Trustwave.

Why Does Greatness Matter?

Cost is $120/month subscription fee significantly lower than competitors. Availability is advertised on underground forums and Telegram channels. Accessibility is marketed as "plug-and-play" requiring minimal technical expertise. Barrier to entry is very low with simplicity and cost making it attractive to aspiring threat actors. First documented May 2023 by Cisco Talos. Activity spikes occurred multiple times in 2023 with continued activity through 2024. Latest detection was December 2023 at time of initial reporting, continuing into 2024. In February 2024, Sucuri researchers reported finding components of the Greatness phish kit deployed on a number of hacked websites, indicating that operators were leveraging compromised legitimate domains to host phishing infrastructure (Sucuri, 2024). According to Sekoia.io analysis, both NakedPages and Greatness remain among the most prevalent AiTM phishing kits in 2024 and early 2025, and several PhaaS providers including Mamba 2FA, Tycoon 2FA, and Greatness now offer ready-to-use HTML phishing templates to their customers, accelerating adoption of AiTM techniques (Sekoia.io, 2024).

Target organizations include sectors of manufacturing, IT and technology services, consulting firms, financial services, healthcare, and legal services. Campaign volume includes hundreds of phishing campaigns attributed to Greatness by late 2023. Described as "lower cost option" in PhaaS market, attracting volume-oriented attackers. Part of broader AiTM phishing surge in 2023-2024. Operational scope includes Cisco Talos identifying multiple active campaigns targeting business users across multiple industries with Storm-1295 partnership model enabling rapid scaling through affiliate and reseller relationships.

What Are the Limitations of Greatness?

Template predictability means pre-built templates create detectable signatures with antivirus and email security vendors quickly adding Greatness pages to blocklists. API dependency sees Greatness relying on Microsoft and Google APIs for MFA bypass, with API changes or authentication hardening able to break the MFA bypass mechanism. Real-time requirement means MFA bypass requires live attacker presence or automated relay service and cannot work asynchronously like credential-only harvesting. Victim awareness during attack sees victims potentially noticing unusual MFA prompts or timing issues during the relay process, with legitimate users getting confused by out-of-order prompts. Cost structure at $120/month requires operators need high conversion rates to achieve ROI, incentivizing bulk spray-and-pray tactics that increase detection. Session cookie lifespan sees stolen session tokens eventually expiring in hours to days, requiring attackers to use credentials quickly before session timeout. Account recovery allows victims to still recover accounts if they notice suspicious activity, reset passwords, or enable additional security measures. Detection improvements show Microsoft and Google have hardened their MFA implementations and added anomalous access detection.

How Can You Defend Against Greatness?

Detection and prevention deploys email filtering to block known Greatness phishing pages and sender addresses, URL sandboxing for detonation of suspicious links in isolated environment to detect Greatness pages, credential guard to monitor for credential submission to non-Microsoft domains, DNS blocking of known malicious domains hosting Greatness infrastructure, and DKIM/SPF/DMARC enforcement of email authentication to prevent spoofing of legitimate organization domains.

MFA hardening uses hardware security keys more resistant to interception than SMS or TOTP, passwordless authentication moving toward Windows Hello, FIDO2, or other non-phishable methods, phishing-resistant MFA with certified authenticators that validate the service origin, MFA on email enforcing MFA on email accounts themselves as first line of defense, and conditional access with Microsoft 365 conditional access policies to flag impossible travel, unusual locations, and new devices.

User and organizational controls implement security awareness training to teach users to recognize cloned login pages, unusual MFA prompts, and sender address spoofing, ZTNA/Zero Trust to implement Zero Trust Network Access reducing value of stolen credentials, session timeout with aggressive session timeout policies reducing credential shelf-life, device compliance requiring corporate-managed devices for email access, and anomalous behavior detection monitoring for impossible travel, mass email rules creation, unusual file access, and email forwarding changes.