EvilProxy Cyberattack Flood Targets Execs via Microsoft 365

Attackers have unleashed an EvilProxy phishing campaign to target thousands of Microsoft 365 user accounts worldwide, sending a flood of 120,000 phishing emails to more than 100 organizations across the globe in the three-month period between March and June alone. The goal? To take over C-suite and other executive accounts, in order to mount further attacks deeper within the enterprise.

The ongoing campaign uses a combination of phishing tactics — including brand impersonation, scan blocking, and a multi-step infection chain — to successfully take over cloud accounts of top-level executives, researchers from Proofpoint revealed.

Over the last six months, Proofpoint observed a significant surge of more than 100% in these takeovers. The compromises occurred at organizations that collectively represent 1.5 million employees worldwide.

Attackers' use of EvilProxy, a phishing-as-a-service offering that uses reverse proxy and cookie-injection methods, allowed them to bypass multi-factor authentication (MFA) in the attacks. Indeed, though MFA use is often cited as a prevention mechanism for phishing, EvilProxy and similar reverse-proxy hacker tools are making it easier for bad actors to crack.

"If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim — thus also validating the gathered credentials as legitimate," Proofpoint's Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet, and Eilon Bendet wrote in a blog post.

Moreover, once credentials were obtained, the actors wasted no time in logging into executives' cloud accounts, gaining access in mere seconds. They proceeded to gain persistence to compromised accounts by leveraging a native Microsoft 365 application to add their own MFA to "My Sign-Ins," the researchers said. Their preferred method for doing this was "Authenticator App with Notification and Code."

"Contrary to what one might anticipate, there has been an increase in account takeovers among tenants that have MFA protection," the researchers wrote. "Based on our data, at least 35% of all compromised users during the past year had MFA enabled."

Breakdown of the EvilProxy Attack

A typical EvilProxy attack begins with attackers impersonating known trusted services, such as the business expense management system Concur, DocuSign, and Adobe. They used spoofed email addresses to send phishing emails purporting to come from one of these services that contained links to malicious Microsoft 365 phishing websites.

Clicking on one of these links would set off a multi-step infection chain in which user traffic is first redirected to an open, legitimate redirector — such as YouTube, among others. Traffic then may undergo several more redirections, which involve malicious cookies and 404 redirects.

"This is done to scatter the traffic in an unpredictable way, lowering the likelihood of discovery," the researchers wrote.

Eventually, user traffic is directed to an EvilProxy phishing framework, a landing page that functions as a reverse proxy, mimicking recipient branding and attempting to mimic third-party identity providers.

Despite the volume, attackers were extremely targeted in their approach, going right to the top of the organizational food chain by targeting C-level executives in about 39% of the attacks. Of that number, 17% of those targets were CFOs and 9% were presidents and CEOs.

MFA Bypass Shows Need for Advanced Security

Both the success of attackers to breach MFA and the scale of the attack demonstrates the evolving sophistication of phishing attacks, which demands a response from organizations to level up on security, noted one security expert.

"The scale and audacity of the EvilProxy phishing campaign is deeply concerning," Colin Little, security engineer for cybersecurity firm Centripetal, wrote in an email to Dark Reading. "It's a stark reminder that no security measure is bulletproof, and cybercriminals are continually finding new ways to exploit vulnerabilities."

He recommended the deployment of proactive cybersecurity intelligence to monitor for unusual activities, emerging threats, and potential vulnerabilities to bolster organizations' defenses and maintain a more robust cybersecurity posture.

Indeed, though many organizations know about the effectiveness of EvilProxy as a phishing tool, the Proofpoint researchers noted "a concerning gap in public awareness regarding its risks and potential consequences."

The company recommends blocking and monitoring malicious email threats, identifying account takeover and unauthorized access to sensitive resources within the cloud, and isolating potentially malicious sessions initiated by links embedded in email messages as among a number of phishing-mitigation efforts.