EvilProxy has emerged as a prominent choice among phishing platforms for its focus on MFA-protected accounts. Researchers have observed a staggering 120,000 phishing emails sent across more than a hundred organisations, all aimed at pilfering Microsoft 365 accounts.
EvilProxy
Operating as a phishing-as-a-service system, EvilProxy leverages reverse proxies to shuttle authentication appeals and user credentials between the targeted user and the genuine service site.
By acting as an intermediary for the legitimate login interface, the phishing server can capture authentication cookies once a user completes their login.
Moreover, given that users have already navigated MFA hurdles during their login process, the purloined cookie empowers malicious actors to circumvent multi-factor authentication.
EvilProxy is available for purchase by cybercriminals at a rate of $400 per month. It offers the capability to focus on accounts linked to prominent platforms like Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI.
Since March 2023, a phishing initiative employing the EvilProxy service, has been discovered, wherein emails are dispatched masquerading as well-known brands such as Adobe, DocuSign, and Concur.
Upon clicking the embedded link, the target is led through an open redirection path, initially passing through YouTube or SlickDeals. This is succeeded by a sequence of successive redirects meticulously designed to minimise the likelihood of detection and scrutiny.
Ultimately, the individual arrives at an EvilProxy phishing page functioning as a reverse proxy for the Microsoft 365 login interface. Notably, this counterfeit page is skilfully crafted to showcase the victim's organisation theme, lending an air of authenticity.
Focusing on Distinct Patterns
The investigation uncovered an intriguing trait in the recent campaign—users possessing a Turkish IP address are directed to a legitimate website, effectively halting the attack. This distinctive behaviour suggests a potential operational base within Turkey.
Furthermore, the assailants displayed a discerning approach when advancing to the account takeover stage. They exhibited a preference for "VIP" targets, while relegating those further down the hierarchy.
Among the compromised accounts, the breakdown reveals that 39% were held by C-level executives, 9% were occupied by CEOs and vice presidents, 17% pertained to chief financial officers, and the remaining were employees entrusted with access to financial assets or sensitive information.
Upon successfully compromising a Microsoft 365 account, the malicious actors introduce their own multi-factor authentication mechanism, employing the Authenticator App with Notification and Code. This step enables them to maintain a persistent presence.
The emergence of reverse proxy phishing kits, notably exemplified by EvilProxy, poses an escalating hazard capable of executing sophisticated phishing campaigns on a significant scale, evading established security measures and account safeguards.
To counter this evolving threat, organisations must bolster their defence strategies by fostering heightened security awareness, implementing more stringent email filtering protocols, and embracing FIDO-based physical keys as a protective measure.
