10 August 2023

Criminals use EvilProxy phishing tool to take over corporate executives’ accounts


Criminals use EvilProxy phishing tool to take over corporate executives’ accounts

Threat actors are using the EvilProxy phishing platform to bypass multifactor authentication (MFA) protections in the Microsoft 365 accounts belonging to high-level corporate executives at prominent firms.

According to a new Proofpoint research, since March 2023, an ongoing hybrid EvilProxy campaign combining brand impersonation, bot detection evasion, and open redirections has targeted thousands of Microsoft 365 user accounts, with approximately 120,000 phishing emails sent to hundreds of targeted organizations across the globe between March and June 2023.

EvilProxy is an adversary-in-the-middle attack platform that allows cybercriminals to create customized phishing emails that include links to fake phishing websites that look like legitimate sign-in pages for services like Google Workspace and Microsoft 365. These phishing sites redirect traffic from users to legitimate login portals allowing a threat actor to capture user credentials and valid session cookies, using which the attacker can continually log in to services without the need to re-authenticate.

Proofpoint said that over the past six months, it observed a substantial rise of over 100% in successful cloud account takeover incidents impacting high-level executives, with more than 100 companies targeted globally.

According to the researchers, at least 35% of the compromised accounts had MFA enabled. More than one-third of the accounts belonged to C-level executives, including CEOs and chief financial officers.

The campaign involved the use of several techniques:

Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe.

Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages.

Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps, such as malicious cookies and 404 redirects.

“Given access to a “VIP” user account, attackers will first seek to consolidate their gains by establishing persistence. Then, they will attempt to exploit their unauthorized access,” the researchers wrote. “During those last phases, cyber criminals employ various techniques, including lateral movement and malware proliferation. The attackers have been known to study their target organizations’ culture, hierarchy, and processes, to prepare their attacks and improve success rates. In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in Hacking-as-a-Service (HaaS) transactions, selling access to compromised user accounts.”

Back to the list

Latest Posts

North Korean Lazarus Group targets software devs in Operation 99 campaign

North Korean Lazarus Group targets software devs in Operation 99 campaign

Operation 99 aims to steal sensitive information, including source code, configuration files, API keys, and crypto wallet credentials.
20 January 2025
Threat actors impersonating Ukraine’s CERT using AnyDesk

Threat actors impersonating Ukraine’s CERT using AnyDesk

In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA.
20 January 2025
Europol's largest-ever operation seizes millions in criminal assets worldwide

Europol's largest-ever operation seizes millions in criminal assets worldwide

The global operation uncovered 83 crypto wallets and addresses linked to criminal organizations.
20 January 2025