EvilProxy used in massive cloud account takeover scheme

Cloud account takeover scheme utilizing EvilProxy hit over 100 top-level executives of global organizations

EvilProxy was observed sending 120,000 phishing emails to over a hundred organizations to steal Microsoft 365 accounts. Proofpoint noticed a worrisome surge of successful cloud account compromises in the past five months. Most of the attacks targeted high-ranking executives. The researchers estimated that the campaign targeted over 100 organizations globally, collectively representing 1.5 million employees.

Approximately 39% of the victims were C-level executives of which 17% were Chief Financial Officers, and 9% were Presidents and CEOs.

“Threat actors utilized EvilProxy – a phishing tool based on a reverse proxy architecture, which allows attackers to steal MFA-protected credentials and session cookies.” reads the post published by Proofpoint.

“This rising threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, in response to the growing adoption of multifactor authentication by organizations.”

The researchers observed a significant increase in account takeovers among tenants that have MFA protection, at least 35% of all compromised users during the past year had MFA enabled. 

Threat actors very large-scale relied in brand impersonation, evasion techniques, and a multi-step infection chain (threat actors redirected traffic via open legitimate redirectors).

EvilProxy was discovered by ReSecurity researchers in September 2022, the Phishing-as-a-Service (PhaaS) platform was advertised on the Dark Web. On some sources, the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted financial institutions and the e-commerce sector before.

EvilProxy actors use Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously, such methods have been seen in targeted campaigns of APT and cyberespionage groups, however, now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online services and MFA authorization mechanisms.

The attack chain employed in the campaign starts with phishing emails sent from spoofed email addresses. Attackers impersonated known trusted services such as Concur, DocuSign and Adobe. The phishing messages contained links to malicious Microsoft 365 phishing websites.  

Upon clicking on the embedded link, the recipient goes through an open redirection via YouTube or SlickDeals, then he goes through a series of redirections to avoid detection.

“Eventually, user traffic is directed to an EvilProxy phishing framework. The landing page functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers. If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate” continues the report.

The researchers noticed that the attack flow depends on the geographic location of the victims. User traffic originating from Turkish IP addresses was directed to the legitimate web page, a circumstance that suggests that the threat actors behind this campaign appear to be based in Turkey.

“Threat actors constantly seek new ways to steal users’ credentials and acquire access to valuable user accounts. Their methods and techniques constantly adapt to new security products and methodologies, such as multi-factor authentication. As this blog illustrates, even MFA is not a silver bullet against sophisticated threats and could be bypassed by various forms of combined email-to-cloud attacks.” concludes the report. “Reverse proxy threats (and EvilProxy in particular) are a potent threat in today’s dynamic landscape and are outcompeting the less capable phish kits of the past.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)