The Perils of Phishing Attacks: A Case Study on EvilProxy

A surge in cloud account takeover incidents has been observed over the past five months, impacting high-ranking executives. EvilProxy, a popular phishing-as-a-service platform, is at the forefront of this threat.

The platform utilizes reverse proxies and brand impersonation to steal Microsoft 365 account credentials, particularly targeting MFA-protected accounts. By employing open redirections, bot detection evasion, and legitimate website compromise, the threat actors have successfully breached multi-factor authentication barriers, highlighting the need for enhanced security measures.

EvilProxy Attacks

EvilProxy employs reverse proxies to relay authentication requests and user credentials between the user and the legitimate service website. The phishing server proxies the legitimate login form, enabling the theft of authentication cookies upon user login. As these accounts already passed MFA, the stolen cookies allow threat actors to bypass multi-factor authentication, gaining unauthorized access.

Phishing Campaign

A new campaign since March 2023 exploits EvilProxy to impersonate brands like Adobe, DocuSign, and Concur. Embedded links in phishing emails lead victims through multiple redirections to an EvilProxy phishing page. This page, customized with the victim's organization theme, mimics the Microsoft 365 login page.

Attack Stages

Attackers encode user emails to evade scanning tools, decoding them via hacked legitimate websites. Once decoded, users are directed to a tailored phishing page for the target organization.

Targeting Peculiarities

The campaign avoids Turkish IP addresses, suggesting possible origin in Turkey. Attackers selectively target "VIP" individuals, particularly C-level executives, CEOs, vice presidents, and CFOs. 39% of compromised accounts were C-level executives, highlighting the strategic nature of the attacks.

Persistence and Countermeasures

After compromising Microsoft 365 accounts, attackers establish persistence by adding their multi-factor authentication method. To counter EvilProxy attacks, organizations should enhance security awareness, implement stricter email filtering rules, and adopt FIDO-based physical keys.

Recommendations

• Implement MFA Authentication: Consider the adoption of multi-factor authentication (MFA) to bolster account security beyond standard measures.

• Avoid Suspicious Links: Encourage refraining from clicking on links that appear suspicious or originate from unknown sources.

Conclusion

EvilProxy's exploitation of multi-factor authentication vulnerabilities poses a significant threat to organizations. This campaign's sophistication demands a proactive approach to cybersecurity, combining user education, technological safeguards, and strategic adoption of advanced authentication methods.