A massive phishing campaign utilizing the EvilProxy tool has been targeting Microsoft 365 user accounts worldwide, aimed at taking over executive accounts and initiating further attacks within organizations, according to cybersecurity firm Proofpoint. The campaign, which took place between March and June of this year, involved the sending of 120,000 phishing emails to more than 100 organizations globally.
Proofpoint researchers revealed that the attackers employed various phishing tactics during the campaign, including brand impersonation, scan blocking, and a multi-step infection chain. These tactics were successful in compromising the cloud accounts of top-level executives. The number of account takeovers has increased by over 100% in the past six months, affecting organizations representing 1.5 million employees worldwide.
The use of EvilProxy, a phishing-as-a-service offering that utilizes reverse proxy and cookie-injection methods, allowed the attackers to bypass multi-factor authentication (MFA) and gain unauthorized access to targeted accounts. Despite the commonly held belief that MFA provides protection against phishing attacks, the rise of tools like EvilProxy has made it easier for cybercriminals to crack this security measure.
In their blog post, the Proofpoint researchers explained that the phishing pages used in the campaign could request MFA credentials, enabling the attackers to authenticate themselves as the victims. This validation of the gathered credentials as legitimate further facilitated the account takeovers. Once the credentials were obtained, the attackers wasted no time in logging into the compromised executive accounts, gaining access within seconds. They then leveraged a native Microsoft 365 application to add their own MFA to the “My Sign-Ins” section, ensuring persistence in the compromised accounts. The preferred method for this was using the “Authenticator App with Notification and Code.”
Interestingly, the researchers found that at least 35% of compromised users over the past year had MFA enabled. This indicates that account takeovers can still occur even when organizations have MFA protection in place.
The EvilProxy attacks typically started with the attackers impersonating trusted services such as Concur, DocuSign, and Adobe, using spoofed email addresses to send phishing emails containing links to malicious Microsoft 365 phishing websites. Clicking on these links initiated a multi-step infection chain that involved redirecting user traffic to legitimate redirectors before eventually directing it to the EvilProxy phishing framework. This landing page, acting as a reverse proxy, mimicked recipient branding and attempted to mimic third-party identity providers. The attackers specifically targeted C-level executives in about 39% of the attacks, with CFOs accounting for 17% of the targets and presidents/CEOs accounting for 9%.
The success of these attacks in breaching MFA underscores the evolving sophistication of phishing tactics. It highlights the need for organizations to enhance their security measures and adopt advanced security solutions to combat such threats. Colin Little, a security engineer for cybersecurity firm Centripetal, emphasized the importance of deploying proactive cybersecurity intelligence to monitor for unusual activities, emerging threats, and potential vulnerabilities. This can help organizations bolster their defenses and maintain a robust cybersecurity posture.
While the effectiveness of EvilProxy as a phishing tool is widely known in the cybersecurity community, the Proofpoint researchers noted a concerning lack of public awareness regarding its risks and potential consequences. They recommend implementing measures such as blocking and monitoring malicious email threats, identifying account takeovers and unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated by links embedded in email messages as part of phishing mitigation efforts.
As phishing attacks continue to evolve and become more sophisticated, organizations must prioritize cybersecurity and remain vigilant in detecting and mitigating potential threats. By staying proactive and implementing advanced security measures, they can better protect themselves against attacks like the EvilProxy phishing campaign.