Posted on August 11, 2023 at 10:37 PM

EvilProxy Targets 120,000 Phishing Emails To Access Microsoft 365 Accounts

EvilProxy has evolved to become one of the most popular platforms used to conduct phishing campaigns. These campaigns target MFA-protected accounts. According to security researchers, 120,000 phishing emails were sent to more than a hundred organizations, with the goal being to obtain access to Microsoft 365 accounts.

EvilProxy targets MFA-protected accounts 

The new research into this phishing campaign has been published by Proofpoint. The cybersecurity researchers at Proofpoint have warned that there has been a massive increase in cloud account takeover incidents in the last five months. These hacking campaigns have primarily targeted high-ranking executives.

According to Proofpoint, a massive large-scale campaign run by Evil Proxy was taking place. The hacking campaign integrates brand impersonation, open redirections, and bot detection evasion techniques. The threat actors behind this campaign use stealth measures to ensure they are undetected by security systems set in place.

EvilProxy operates as a phishing-as-a-service platform. It uses reverse proxies to deploy authentication requests and user credentials between the user, the target in these attacks, and a service website operating legitimately.

Once the phishing server proxies the authentic login data, it will steal authentication cookies after a user has logged into their account. The user must also pass the MFA challenges when signing in to their accounts. On the other hand, the stolen cookie will enable hackers to bypass multi-factor authentication.

Resecurity published a report in September last year saying that the EvilProxy phishing platform was sold to hackers for $400 each month. At the time, researchers noted that the hacking campaign could target Apple, Facebook, GitHub, GoDaddy, Google, Microsoft, PyPI, and Twitter accounts.

Proofpoint researchers have detected a new phishing campaign since March last year. This campaign used the EvilProxy phishing platform to send emails that impersonated leading brands such as Adobe, Concur, and DocuSign. The impersonation tricks users into believing the emails were sent from an authentic source.

If users follow the embedded link in the phishing emails, they will undergo an open redirect on YouTube and SlickDeals. The victim will also experience a series of other redirections seeking to reduce the chances of analysis and discovery while ensuring that their hacking operations remain under the radar.

The victim is later taken to the EvilProxy phishing page that will reverse proxy the Microsoft 365 login page. This page will also contain the organization theme of the victim to make it appear authentic and free from compromise.

The researchers also noted that the hackers had deployed several techniques to ensure the victim’s email did not deploy scanning tools. They also used compromised legitimate websites to run their hacking campaign.

“In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email and used legitimate websites that have been hacked to upload their PHP code to decode the email address of a particular user,” the Proofpoint researchers said.

The researchers from Proofpoint also said that after the sent email address was decoded, the hackers redirected users to the final website, the actual page used to conduct the phishing campaign. This phishing page is customized to each target organization.

The campaign usually targets high-level executives

The security researchers also said that this hacking campaign redirected the victims using an IP address from Turkey to a legitimate website where they would not be compromised. This behavior shows that the hackers might have Turkish origins.

The Proofpoint research also noted that the hackers remained selective with the cases that would go on to the account takeover phase. As such, the attackers prioritized the high-ranking targets and gave little to no attention to targets lower in the hierarchy.

Of the accounts breached, 39% belonged to C-level executives, while 9% belonged to vice presidents and CEOs. 17% of the breached accounts belonged to chief financial officers, while the remaining accounts belonged to employees with sensitive information access.

After the hackers successfully breached a Microsoft 365 account, they added their multi-factor authentication to create persistence. The hackers’ use of reverse proxy phishing kits and the EvilProxy platform shows how rapidly the threat has grown. This threat can deliver a high-quality phishing campaign at high scales while bypassing security measures and ensuring accounts are protected.

The organizations targeted by such hacking campaigns can defend themselves from this threat by installing high-security measures. These organizations can also adopt strict email filtering rules and FIDO-based physical keys to guarantee security.