Over the last five months, attackers have leveraged the known EvilProxy tool in phishing attacks launched against thousands of Microsoft 365 accounts, primarily targeting top executives at businesses.
Researchers said the campaign has been widespread, with the threat actor sending 120,000 phishing emails to over 100 organizations worldwide between March and June. The attackers are using spoofed email addresses impersonating top brands used by businesses - like DocuSign, Adobe Sign and Concur - to trick the target into clicking on a malicious URL in the email.
“Although these attacks’ initial threat vector is email-based, their final goal is to compromise and exploit valuable cloud user accounts, assets, and data,” said researchers with Proofpoint in a Wednesday analysis. “Given access to a ‘VIP’ user account, attackers will first seek to consolidate their gains by establishing persistence. Then, they will attempt to exploit their unauthorized access.”
After the target clicks on the phishing email link, they are redirected several times, through various redirectors, including YouTube and 404 redirects, before finally landing on the EvilProxy phishing framework, which uses a reverse proxy in order to present a login page using the target’s company branding for added legitimacy. Once the target attempts to authenticate with multi-factor authentication, the attackers intercept the request and forward it to the actual server; and then intercept the legitimate server response and forward it back to the victim’s client, in order to capture the valid session cookie.
EvilProxy, which was uncovered last year being sold as-a-service, offers an easy way to configure and set up attacks. This makes phishing even more accessible for less sophisticated cybercriminals, as researchers have seen with many phishing kits on the market targeting Microsoft 365 users, including one discovered this year called Greatness designed specifically to impersonate Microsoft 365 instances.
“Although the effectiveness of EvilProxy as a phishing tool is largely recognized, Proofpoint threat analysts have identified a concerning gap in public awareness regarding its risks and potential consequences,” according to Proofpoint researchers.
While many phishing attacks cast a wide net in their targeting, the attackers in this campaign are laser-focused on business executives and seemingly ignore non-executive “less lucrative phished profiles,” said researchers. Many of the compromised accounts belong to leadership-level employees, with 39 percent belonging to C-level executives, 17 percent belonging to CFOs and 9 percent belonging to CEOs. Post-exploitation, the threat actors are aiming to exfiltrate data, move laterally and deploy malware, said researchers.
“The attackers have been known to study their target organizations’ culture, hierarchy, and processes, to prepare their attacks and improve success rates,” said researchers. “In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in Hacking-as-a-Service (HaaS) transactions, selling access to compromised user accounts.”