Phishing campaign out to get C-level execs. This sophisticated threat has been around for a while and it’s back again to get more victims. Find out how it works.
EvilProxy Phishing Campaign Targets Microsoft 365 Users, Focuses on C-Level Executives
The EvilProxy phishing platform has emerged as a potent threat, successfully targeting MFA-protected accounts and causing concern among cybersecurity experts. Over 120,000 phishing emails have been dispatched to more than a hundred organisations, aiming to compromise Microsoft 365 accounts.
C-Level Executives Targeted
This escalating trend in successful cloud account takeovers has especially impacted high-ranking executives. EvilProxy’s campaign involves a combination of brand impersonation, evasion tactics against bot detection, and the use of open redirections.
EvilProxy employs a phishing-as-a-service model, utilising reverse proxies to manipulate authentication requests and user credentials. The malicious server intercepts the legitimate login form, enabling the theft of authentication cookies upon user login. Additionally, since users have already surmounted MFA challenges during login, the stolen cookie allows hackers to circumvent multi-factor authentication.
A Long-standing Problem
EvilProxy’s capabilities were highlighted in a September 2022 report by Resecurity, which revealed its availability for $400/month to cybercriminals, promising access to a range of prominent accounts including those on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI.
EvilProxy has been exploited to dispatch emails mimicking well-known brands such as Adobe, DocuSign, and Concur. Once victims interact with the embedded links, they traverse a convoluted path of open redirections via platforms like YouTube or SlickDeals. The path is designed to minimise the chances of detection.
Eventually, victims land on a phishing page operated by EvilProxy. This page cleverly mirrors the Microsoft 365 login interface, often incorporating the victim’s organisation theme to lend an air of authenticity.
To evade automatic scanning tools, attackers encode user email addresses and exploit compromised legitimate websites to decode the email addresses.
Interestingly, the campaign exhibited a penchant for targeting Turkish IP addresses, hinting at a potential base of operations in Turkey. Moreover, the attackers demonstrated selectivity in choosing targets for the account takeover phase, prioritising “VIP” figures while disregarding lower-level individuals. Among the compromised accounts, 39% belonged to C-level executives, 9% to CEOs and vice presidents, and 17% to chief financial officers.
Hardware-based Security Might be Needed
Once a Microsoft 365 account is infiltrated, threat actors introduce their own multi-factor authentication method for persistence. The rise of reverse proxy phishing kits, with EvilProxy as a prime example, presents a growing challenge. These threats are capable of executing large-scale, high-quality phishing campaigns that undermine security protocols.
Countermeasures against EvilProxy encompass heightened security awareness, stringent email filtering rules, and the adoption of FIDO-based physical keys.
To fortify accounts further, embracing hardware-based security keys is a recommended strategy. This approach, recently adopted by Discord, underscores the significance of robust defence mechanisms against evolving phishing tactics.EvilProxy Phishing Campaign Targets Microsoft 365 Users, Focuses on C-Level Executives
