Microsoft 365 accounts of execs, managers hijacked through EvilProxy

A phishing campaign leveraging the EvilProxy phishing-as-a-service (PhaaS) tool has been spotted targeting Microsoft 365 user accounts of C-level executives and managers at over 100 organizations around the world.

The rise of phishing-as-a-service

As organizations increasingly employ multi-factor authentication (MFA), threat actors have switched to using phishing services such as EvilProxy, which uses reverse proxy and cookie injection methods to steal authentication credentials and session cookies (and thus bypass the extra protection offered by MFA).

“Nowadays, all an attacker needs is to set up a campaign using a point-and-click interface with customizable options, such as bot detection, proxy detection, and geofencing,” Proofpoint researchers noted.

“This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity. One such interface and toolkit is EvilProxy, an all-inclusive phishing kit that is easy to acquire, configure, and set up.”

The campaign

Between March and June 2023, Proofpoint researchers detected an new phishing campaign targeting Microsoft 365 user accounts. About 120,000 phishing emails were sent to targeted organizations impersonating legitimate services such as DocuSign, Adobe, and SAP Concur.

When the victim clicks on the email link, they are first directed to a legitimate website (YouTube, SlickDeals, etc.) and then redirected through a series of other websites, to finally land on the phishing page created by EvilProxy, which mimicks recipient branding and attempts to handle third-party identity providers.

“If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate,” the researchers noted.

The attack’s redirection chain. (Source: Proofpoint)

The attackers employed special encoding for the sent emails to hide them from automatic scanning tools, then they used legitimate, hacked websites to upload PHP code to decode the email address of each user.

“After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization,” the researchers noted. Once the attackers gained access to the victim’s account, they added their own multi-factor authentication method using “My Sign-Ins” to establish persistent access.

The targets

This specific campaign was extremely targeted; the attackers were selectively choosing “VIP” targets while disregarding those at the lowest level.

“Amongst the hundreds of compromised users, approximately 39% were C-level executives of which 17% were Chief Financial Officers, and 9% were Presidents and CEOs. Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information,” the researchers found.

As mentioned before, the targeted organizations are located around the world – but not Turkey. User traffic coming from Turkish IP addresses was redirected to a legitimate web page, the researchers noted.