Evilproxy Phishing Campaign Targets 120,000 Microsoft 365 Users

Cyber Security Threat Summary:
EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months. The cybersecurity firm has detected an extensive campaign driven by EvilProxy. This campaign employs tactics such as brand impersonation, evasive bot detection, and the utilization of open redirects.

“EvilProxy is a phishing-as-a-service platform that employs reverse proxies to relay authentication requests and user credentials between the user (target) and the legitimate service website. As the phishing server proxies the legitimate login form, it can steal authentication cookies once a user logs into their account. Furthermore, as the user already had to pass MFA challenges when logging into an account, the stolen cookie allows the threat actors to bypass multi-factor authentication. As reported in September 2022 by Resecurity, EvilProxy is sold to cyber criminals for $400/month, promising the ability to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts. A new phishing campaign observed by Proofpoint since March 2023 is using the EvilProxy service to send emails that impersonate popular brands like Adobe, DocuSign, and Concur.If the victim clicks on the embedded link, they go through an open redirection via YouTube or SlickDeals, followed by a series of subsequent redirections that aim to lower the chances of discovery and analysis. Eventually, the victim lands on an EvilProxy phishing page that reverse proxies the Microsoft 365 login page, which also features the victim's organization theme to appear authentic” (BleepingComputer, 2023).

Proofpoint explains that the attacker took steps to conceal the user's email from automated scanning tools. They achieved this by utilizing specific encoding techniques for the user’s email and leveraging compromised legitimate websites to upload their PHP code, which was responsible for deciphering the targeted user’s email address. Once the email address was successfully decoded the user was redirected to the final destination, a customized phishing page designed specifically for that particular target’s organization.

Security Officer Comments:
Researchers observed that users with Turkish IP addresses were redirected to a genuine website, suggesting the operation might originate from Turkey. The attackers displayed selectivity by focusing on “VIP” targets during the account takeover process, overlooking lower-ranked individuals. The compromised accounts included 39% C-level executives, 9% CEO’s/Vice presidents, 17% CFO’s, and the remainder were employees with access to valuable financial or sensitive data. After successfully compromising a Microsoft 365 account, the malicious actors introduce their own multi-factor authentication technique to ensure ongoing access. The emergence of reverse proxy phishing kits, with EvilProxy being a prominent example, poses an escalating threat by facilitating large scale sophisticated phishing attacks.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.