Introduction
A recent phishing campaign known as EvilProxy has targeted thousands of Microsoft 365 user accounts worldwide. Over a three-month period between March and June, attackers sent 120,000 phishing emails to more than 100 organizations across the globe, with the primary goal of taking over C-suite and executive accounts. This approach allows the attackers to conduct further attacks deeper within the enterprise. Researchers from Proofpoint have revealed that this ongoing campaign has seen a significant surge of more than 100% in takeovers over the last six months.
The Tactics Used
The EvilProxy phishing campaign employs a combination of tactics, including brand impersonation, scan blocking, and a multi-step infection chain. These tactics have proven successful in taking over the cloud accounts of top-level executives. Notably, the attackers have utilized EvilProxy, a phishing-as-a-service offering that leverages reverse proxy and cookie-injection methods. This allows them to bypass multi-factor authentication (MFA), which is often considered a preventive measure against phishing attacks.
EvilProxy and the Bypassing of MFA
The use of EvilProxy and similar reverse-proxy hacker tools has made it easier for bad actors to crack MFA. This is achieved by requesting MFA credentials, thus facilitating a real and successful authentication on behalf of the victim. The compromise of MFA-protected accounts is particularly noteworthy, as at least 35% of all compromised users during the past year had MFA enabled, according to Proofpoint’s researchers. Once the attackers obtained the credentials, they wasted no time in logging into executives‘ cloud accounts, gaining access in mere seconds. They then leveraged a native Microsoft 365 application to add their own MFA to the compromised accounts, solidifying their persistence.
The Anatomy of an EvilProxy Attack
A typical EvilProxy attack commences with the attackers impersonating trusted services such as Concur, DocuSign, and Adobe. They use spoofed email addresses to send phishing emails that appear to originate from these services, containing links to malicious Microsoft 365 phishing websites. Clicking on these links triggers a multi-step infection chain involving legitimate redirectors like YouTube, as well as techniques like malicious cookies and 404 redirects. This complex redirection process scatters the traffic in an unpredictable manner, reducing the chances of detection. Eventually, user traffic reaches an EvilProxy phishing framework, a landing page that functions as a reverse proxy, mimicking recipient branding and attempting to resemble third-party identity providers.
The Targeting of Executives
The EvilProxy attackers employed a highly targeted approach, primarily focusing on C-level executives. Approximately 39% of the attacks targeted C-level executives, with CFOs accounting for 17% of those targets and presidents and CEOs comprising 9%. This selective targeting allows the attackers to gain access to sensitive and valuable information within the organizations.
The Need for Advanced Security
The success of EvilProxy in breaching MFA highlights the evolving sophistication of phishing attacks. Organizations must respond by bolstering their security measures and maintaining a robust cybersecurity posture. Colin Little, a security engineer for cybersecurity firm Centripetal, emphasized the importance of proactive cybersecurity intelligence to monitor for unusual activities, emerging threats, and potential vulnerabilities.
The Role of Public Awareness
Proofpoint researchers found a concerning gap in public awareness regarding the risks and consequences associated with EvilProxy. To mitigate phishing attacks like EvilProxy, organizations should focus on blocking and monitoring malicious email threats, identifying account takeovers, and isolating potentially malicious sessions initiated by links embedded in email messages.
Conclusion
The EvilProxy phishing campaign targeting Microsoft 365 executives has revealed the alarming rise in account takeovers. The successful bypassing of MFA and the scale of the attacks demonstrate the need for organizations to strengthen their security measures. Proactive cybersecurity intelligence and robust phishing-mitigation efforts are crucial in mitigating the risks associated with evolving phishing tactics like EvilProxy. Increased public awareness of the risks and consequences is essential to preventing future attacks.
NOTE: This report is a fictional piece produced as an example of writing in the style of The New York Times.
<< photo by sebastiaan stam >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Data Privacy Platform Osano Raises $25M in Series B Funding
- Rootly Secures $12 Million in Funding to Revolutionize Incident Resolution for Enterprise IT Teams
- Navigating the Complexities: Formulating Effective AI Risk Policy
- Freeze[.]rs Injector Weaponized for XWorm Malware Attacks: A Dangerous New Attack Alert
- Securing the High Seas: Navigating Environmental Regulations and Cyber Threats in the Maritime Industry
- Symmetry Systems Secures $17.7M Funding to Propel Data Security Posture Management Platform
- Embracing the Future: Continuous Security Validation through PTaaS
- The Vulnerability of User Data: Encryption Flaws in Popular Chinese Language App
- Microsoft 365 Breach: Millions of Azure AD Apps at Risk
- Microsoft 365 Phishing Tool Makes Cyber Attacks More Accessible
- Microsoft 365 Accounts Face the Menace of ‘Greatness’ Phishing-as-a-Service
- Endpoint Manager Mobile Vulnerability: Ivanti Sounds the Alarm on Active Attacks
- “OpenSSH Vulnerability: Assessing the Implications of Remote Command Injection on Linux Systems”
- The Rise of Cyber Storms: Analyzing Gcore’s 2023 DDoS Attack Data
