Advisory ID: NCC-CSIRT-150823-030
Summary: Researchers at Proof point have identified an EvilProxy phishing campaign that is focused on compromising Microsoft 365 user accounts on a global scale. This campaign involves the distribution of nearly 120,000 phishing emails to over 100 organizations worldwide. The primary objective is to gain control of the cloud accounts belonging to high-level executives, with the aim of executing more advanced attacks within the organization's internal systems.
Threat Type(s): Phishing
Impact/Vulnerability: CRITICAL/MEDIUM
Product(s): Microsoft 365
Platform(s): EvilProxy phishing-as-a-Service Platform
Version(s): All Versions
Description: Based on the researchers' discoveries, the attackers behind this campaign are leveraging an EvilProxy phishing strategy. EvilProxy operates as a phishing-as-a-service platform, utilizing reverse proxies to facilitate the exchange of authentication requests and user credentials between the targeted user and the authentic service website. Despite the commonly recommended use of multi-factor authentication (MFA) as a defense against phishing, tools like EvilProxy and similar reverse-proxy techniques are simplifying the efforts of malicious actors to bypass this security measure.
The malicious actors employ the EvilProxy service to dispatch deceptive emails that mimic reputable brands like Adobe, DocuSign, and Concur. Clicking on the embedded link guides the recipient through a sequence of open redirections via platforms like YouTube or SlickDeals, followed by subsequent redirections aimed at reducing the likelihood of detection and analysis. Ultimately, the victim arrives at an EvilProxy phishing page, which functions as a reverse proxy for the Microsoft 365 login page. This page is designed to mimic the organization's theme, lending an air of authenticity to the victim's experience.
To evade automated scanning tools, the attackers utilize specialized encoding for user email addresses. Compromised legitimate websites are exploited to upload PHP code, facilitating the decoding of the targeted user's email address. Once decoded, the user is directed to the final website, which hosts the tailored phishing page meticulously crafted for the specific target organization.
Consequences: The phishing emails often imitate reputable and trusted services or applications while employing scan-blocking techniques to evade detection by a wide range of security tools.
Solution: Organizations can defend against this threat through the following ways:
- User Awareness: Educate users about the associated risks when utilizing Microsoft 365.
- Email Protection: Block and monitor malicious email threats directed at users.
- Cloud Protection: Utilize cloud security mechanisms with the following functionalities:
- Detecting occurrences of account takeover (ATO) and unauthorized access to sensitive resources within the cloud environment.
- Ensuring accurate and timely detection of both the initial account breach and subsequent unauthorized activities, including the monitoring of service and application misuse.
- Incorporating automated remediation capabilities to reduce the duration of attacker presence in the system and mitigate potential harm.
- Web Security: Isolate potentially harmful sessions initiated via links embedded in email messages.
- FIDO: Consider adopting “Fast Identity Online” (FIDO) based physical security keys. FIDO is a technical standard designed for authenticating online user identities. It is applicable in various scenarios like fingerprint and two-factor login. This enables users to utilize biometric features or a FIDO security key for logging into their online accounts.
References:
https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-targets-120-000-microsoft-365-users/
https://www.infosecurity-magazine.com/news/evilproxy-campaign-120000-phishing/
https://www.darkreading.com/cloud/evilproxy-cyberattack-flood-execs-microsoft-365
https://www.proofpoint.com/uk/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level
https://www.darkreading.com/threat-intelligence/downfall-bug-billions-intel-cpus-design-flaw