Threat actors are having recent success defeating multifactor authentication-protected Microsoft 365 cloud accounts using the EvilProxy phishing kit, say researchers at Proofpoint.
Since early March, they’ve seen an ongoing hybrid campaign using EvilProxy to target thousands of Microsoft 365 user accounts, particularly those of C-level and senior executives of major companies. In fact, the attackers ignore the successful compromise of accounts of persons they deem of lower value unless they have access to financial or sensitive corporate information.
Among the hundreds of compromised users, Proofpoint says, approximately 39 per cent were C-level executives, of whom 17 per cent were chief financial officers, and nine per cent were presidents and CEOs.
Once a targeted user has provided their credentials, attackers were able to log into their Microsoft 365 account within seconds, say the researchers, suggesting a streamlined and automated process.
“This campaign’s overall spread is impressive, with approximately 120,000 phishing emails sent to hundreds of targeted organizations across the globe between March and June,” the researchers said in a blog this week.
During the phishing stage the attackers use the following techniques:
- Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe.
- Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages.
- Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps such as malicious cookies and 404 redirects.
Initially, phishing messages impersonated known trusted services, such as the business expense management system Concur, DocuSign and Adobe. Using spoofed email addresses, these emails contained links to malicious Microsoft 365 phishing websites. Eventually, after several redirection transitions, the user is sent to an EvilProxy phishing framework. The landing page functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers. If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate.
In the next waves of this campaign, in order to prevent detection by security solutions and to entice the user to click the links, attackers employ redirect links on reputable websites such as YouTube and SlickDeals.
Once attackers accessed a victim’s account, they cemented their foothold within the impacted organization’s cloud environment, often by leveraging a native Microsoft 365 application to execute MFA manipulation. They do it by adding their own multi-factor authentication method.
Proofpoint says IT and infosec pros need to take a number of steps to block this kind of attack, including effective business email compromise prevention solutions. In addition, they need to have solutions or processes to identify account takeover and unauthorized access to sensitive resources. In some cases, certain staff should be required to have FIDO-based physical security keys to protect login access. And employee security awareness training needs to be beefed up.