The EvilProxy phishing service continues to gain popularity in targeting Microsoft 365 accounts that are protected by Multi-Factor Authentication (MFA). Research conducted by Proofpoint reveals a significant increase in successful cloud account takeovers in the past five months, particularly impacting high-ranking executives.
Diving into detail
According to Proofpoint, the campaign supported by EvilProxy utilizes brand impersonation, bot detection evasion, and open redirections.
The brands impersonated in the campaign include Adobe, DocuSign, and Concur.
- If victims click on the embedded links in the phishing emails, they are redirected to various websites before landing on an EvilProxy phishing page that mimics the Microsoft 365 login page.
- Once a Microsoft 365 account is compromised, the threat actors add their own MFA method (via Authenticator App with Notification and Code) to establish persistence.
- The attackers used encoding techniques and hacked legitimate websites to hide user email addresses and create tailor-made phishing pages.
Targeted victims
- Over a hundred organizations were targeted with 120,000 phishing emails to steal Microsoft 365 accounts.
- The attack impacted the accounts of 39% C-level executives, 9% CEOs, 17% chief financial officers, and employees with access to financial assets or sensitive information.
Conclusion
Reverse proxy threats and EvilProxy, in particular, remain a potent threat in today’s dynamic threat landscape. The significant rise in such phishing kits exposes crucial gaps in organizations’ defense strategies. As these attacks are launched via emails, organizations must enhance their email and web security to defend against advanced hybrid threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f970_shutterstock_680078869.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cb4f_shutterstock_2121565862.jpeg)
