EvilProxy Phishing Campaign Targets High-Level Executives
Threat actors are using the EvilProxy phishing platform to get around multifactor authentication (MFA) protections in the Microsoft 365 accounts of high-level corporate executives. The sprawling campaign highlights the growing popularity among cybercriminals of advanced phishing-as-a-service (PhaaS) kits.
Since March, over 100 organizations with a combined 1.5 million employees have been targeted by attackers using EvilProxy, which is based on a reverse-proxy architecture and enables hackers to steal credentials and session cookies protected by MFA.
Once in the VIPs’ cloud accounts, the attackers can take control and access the data and assets they hold, according to threat intelligence researchers with Proofpoint.
“During those last phases, cybercriminals employ various techniques, including lateral movement and malware proliferation,” the researchers wrote in a report, adding that the attackers study the culture, hierarchy and processes of a targeted organization before they attack. “In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in hacking-as-a-service (HaaS) transactions, selling access to compromised user accounts.”
As with ransomware and other cyberthreats, there has been a steady rise in the use of kits to deliver phishing capabilities as a service, opening up another revenue stream for developers of malware and enabling inexperienced cybercriminals to launch sophisticated attacks.
That was made clear this week when Interpol shut down a PhaaS platform called 16shop and arrested three people, including the 21-year-old Indonesia-based administrator and two facilitators. The platform’s servers were hosted in the United States, according to Interpol.
Interpol, which worked with law enforcement agencies in the United States, Indonesia and Japan as well as such cybersecurity organizations as Trend Micro, Group-IB and Palo Alto Networks’ Unit 42, pointed to the high prevalence of phishing campaigns, noting that up to 90% of data breaches involve such attacks.
Getting Around MFA Protection
PhaaS platforms contribute to that. However, Proofpoint said that organizations’ increasing use of MFA techniques had forced criminal organizations to improve their phishing kits to get around the protections, including adversary-in-the-middle (AitM) kits like EvilProxy that can steal credentials and session cookies in real-time.
“The presence and impact of these MFA kits on the threat landscape have since grown significantly,” the researchers wrote.
That’s been seen in the recent campaign. Proofpoint noted a 100% jump in successful attempts to take over the cloud accounts of high-level executives since early this year. In addition, at least 35% of all compromised users over the past year had MFA-enabled accounts.
Such success has fueled the market growth of open source preconfigured MFA PhaaS kits, allowing low-level hackers to pay for kits like EvilProxy for such online services as Gmail, Microsoft, Dropbox and Facebook.
“Nowadays, all an attacker needs is to set up a campaign using a point-and-click interface with customizable options, such as bot detection, proxy detection, and geofencing,” the researchers wrote. “This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity.”
According to a Resecurity report in September 2022, bad actors can lease EvilProxy for $400 a month on the dark web.
The Latest Campaign
In the recent campaign, the threat actors sent about 120,000 phishing emails to hundreds of organizations worldwide between March and June. Many of the phishing emails spoofed real services and apps like Concur Solutions, DocuSign and Adobe and used scanning bots to make it difficult for security tools to analyze the malicious web pages.
The emails contained embedded links to malicious Microsoft 365 phishing websites. This kicked off a chain of steps that included redirecting user traffic to a legitimate redirector like YouTube, followed by more traffic redirection, including malicious cookies and 404 redirects, all done to scatter the traffic unpredictably to reduce the chances of being discovered by security solutions.
The user traffic is then redirected to an EvilProxy phishing framework.
“The landing page functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers,” the researchers wrote. “If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim–thus also validating the gathered credentials as legitimate.”
The threat actors use special encoding of the user’s email and legitimate websites that have been hacked to hide the user’s email from automatic scanning tools, uploading their PHP code to decode the email address of a particular user.
“After decoding the email address, the user was forwarded to the final website–the actual phishing page, tailor-made just for that target’s organization,” they wrote.
Once the targets provided their credentials, attackers could log into their Microsoft 365 accounts within seconds, indicating to the researchers that the process was highly automated. The campaign’s targets were high-level corporate executives. Of the hundreds of compromised users, 39% were C-level executives, 17% were chief financial officers, and 9% were presidents and CEOs, all of whom would have access to sensitive data and financial information.
Once into the victims’ accounts, the cybercriminals took steps to ensure they could stay, including using the My Sign-Ins feature in Microsoft 365 to add their own MFA method.
Organizations should expect such attacks to continue.
“Reverse proxy threats (and EvilProxy in particular) are a potent threat in today’s dynamic landscape and are out-competing the less capable phish kits of the past,” the researchers wrote. “They have risen significantly in popularity and exposed crucial gaps in organizations’ defense strategies. For that reason, attackers are quickly pivoting to easy-to-use advanced phishing kits, which leads to an increase in hybrid attacks’ efficacy and velocity.”
