Chris Swagler | August 30th, 2023

EvilProxy Phishing

In a concerning turn of events, the infamous EvilProxy phishing platform has emerged as a potent threat, focusing its attention on Microsoft 365 users, specifically high-ranking executives, and exploiting vulnerabilities in multi-factor authentication (MFA) systems. Recent research by cybersecurity firm Proofpoint has exposed a disturbing trend, revealing that EvilProxy has orchestrated an intricate phishing campaign targeting over 120,000 Microsoft 365 users across over a hundred organizations. This surge in activity, which has occurred over the past five months, underscores the urgency for enhanced security measures in cloud account protection.

EvilProxy, aptly named as a proxy for malicious intentions, operates as a phishing-as-a-service platform. This insidious tool employs reverse proxies to manipulate authentication requests and user credentials between the target users and legitimate service websites. The ingenious method of operation is twofold: as users input their login credentials, EvilProxy’s servers intercept and harvest authentication cookies. This permits the malefactors to bypass MFA protocols, leveraging the stolen cookies to gain unauthorized access to the victims’ Microsoft 365 accounts.

What sets EvilProxy apart from its counterparts is its comprehensive approach, incorporating brand impersonation, evasive bot detection tactics, and open redirection techniques. The cybercriminals behind the campaign meticulously disguise their efforts by impersonating reputable brands such as Adobe, DocuSign, and Concur. This well-crafted illusion lures victims into clicking embedded links, subsequently initiating a complex chain of redirections to obscure the malicious intent.

Researchers uncovered a particularly intriguing aspect of this campaign: a strategic redirection of users with Turkish IP addresses to legitimate sites, suggesting a possible geographic origin of the attack. Additionally, the threat actors displayed a clear hierarchy of targets, favoring “VIP” figures within organizations while ignoring lower-level personnel. Astonishingly, 39% of compromised accounts belonged to C-level executives, highlighting the high-stakes nature of the campaign.

The far-reaching implications of this campaign shed light on the challenges posed by emerging phishing-as-a-service platforms. As these tools gain traction, even non-technical cybercriminals can orchestrate sophisticated attacks, exploiting vulnerabilities in widely used online services like Microsoft, Google, and Facebook. As the prevalence of cloud-based services increases, so does the attack surface for cybercriminals, necessitating proactive cybersecurity measures.

Experts emphasize that traditional security measures, including multi-factor authentication, can no longer thwart such advanced threats. The focus is shifting towards context-aware authentication and dynamic, risk-based authorization to safeguard digital identities effectively. Organizations must prioritize security awareness, implement robust email filtering rules, and consider adopting physical security keys based on FIDO (Fast Identity Online) protocols.

In this rapidly evolving landscape of cyber threats, the EvilProxy campaign is a stark reminder that cybersecurity strategies must evolve with the sophistication of attacks. Safeguarding sensitive corporate information, the integrity of user accounts, and the preservation of digital identities demand nothing less than a multifaceted and forward-thinking defense strategy. As organizations navigate this treacherous terrain, proactive measures must take precedence to protect invaluable digital assets and maintain users’ trust in the digital realm.

At SpearTip, we offer phishing training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of your team, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in your environment. Our team creates phishing email simulations like those threat actors use and sends them throughout the organization. We provide insight and feedback to improve the cyber defenses of your team, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden your environment and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.