Digital hook and emails showing phishing campaign targeting Microsoft 365 users

EvilProxy Phishing Campaign Targets Over 120,000 Microsoft 365 Users

A large-scale phishing campaign using EvilProxy phishing-as-a-service (PhaaS) infrastructure targeted Microsoft 365 users for the past six months leading to numerous successful account takeovers.

Proofpoint researchers say threat actors sent over 120,000 phishing emails to over 100 organizations worldwide between March and June 2023, usually targeting senior executives.

The campaign employed multi-redirection via legitimate websites to avoid detection and used the target organization’s branding to avoid suspicion.

Microsoft 365 phishing campaign leverages EvilProxy and Adversary-in-the-Middle attacks

The multi-step infection chain leverages phishing emails with malicious URLs impersonating Adobe Sign, Concur, and DocuSign. To avoid detection, the embedded malicious links redirect Microsoft 365 users via legitimate websites, such as youtube[.]com and bs.serving-sys[.]com.

Additionally, the threat actors scattered traffic through several redirection steps involving malicious cookies and 404 redirects.

However, they called off the attack by redirecting users to legitimate websites after detecting Turkish IP addresses, suggesting the phishing campaign was based out of the country.

The last step involves redirecting traffic via EvilProxy, a phishing-as-a-service (PhaaS) platform and reverse proxy architecture with the victim’s organization’s branding to hijack MFA credentials and harvest session cookies.

“If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate,” noted the researchers.

The phishing campaign employs sophisticated Adversary-in-the-Middle (AitM) phishing kits to bypass multifactor authentication adopted by many organizations. At least 35% of the compromised Microsoft 365 users had MFA enabled.

To prevent detection by automated scanning tools, the threat actors encode the user’s email and the legitimate website used via an uploaded PHP script.

“After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization,” the researchers stated.

To establish persistence, the threat actors added their own MFA authentication method on compromised Microsoft 365 user accounts via “Authenticator App with Notification and Code.”

Finally, they monetized their access through financial fraud, data exfiltration, hacking-as-a-service (HaaS), or selling compromised user accounts.

“The scale and audacity of the EvilProxy phishing campaign targeting 120,000 Microsoft 365 users is deeply concerning,” said Colin Little, a Security Engineer at Centripetal. “The fact that this campaign managed to breach organizations with MFA protection showcases the evolving sophistication of cyberattacks.

“It’s a stark reminder that no security measure is bulletproof, and cybercriminals are continually finding new ways to exploit vulnerabilities.

Phishing campaign targets senior executives and ignores junior employees

Although threat actors cast their nets wide, the phishing campaign usually targets senior business executives with access to companies’ assets.

Consequently, C-level executives accounted for 39% of compromised Microsoft 365 users, of which 17% were chief financial officers and 9% were presidents and CEOs.

However, the threat actors also target lower-level management executives with access to sensitive information or financial assets while ignoring less lucrative employees.

Proofpoint researchers found that successful account takeovers targeting senior executives increased by 100% for six months. Collectively, the phishing campaign has targeted over 100 organizations worldwide, impacting over 1.5 million Microsoft 365 users.

Proofpoint attributed the proliferation of phishing attacks to access to sophisticated phishing infrastructure that lowers the entry barrier.

“Nowadays, all an attacker needs is to set up a campaign using a point-and-click interface with customizable options, such as bot detection, proxy detection, and geofencing. This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity. One such interface and toolkit is EvilProxy, an all-inclusive phishing kit that is easy to acquire, configure, and set up,” said the researchers.

According to cybersecurity firm Resecurity, threat actors can rent EvilProxy, capable of targeting Apple, Facebook, Google, Microsoft, and other major online accounts, for $150 – $400.

The researchers highlighted the threat posed by PhaaS infrastructure such as EvilProxy and the shortcomings of MFA authentication.

They recommended cloud security solutions, business email compromise (BEC) prevention solutions, security awareness training, FIDO-based physical security keys, and isolating potentially malicious sessions from email-bound links.