In a concerning turn of events, attackers have recently launched an extensive phishing campaign named EvilProxy, causing a storm of trouble for thousands of Microsoft 365 users worldwide. This campaign targeted high-profile user accounts, mainly those belonging to top executives, with the ultimate goal of infiltrating deeper into organizations' internal systems.
Over a span of three months from March to June of 2023, phishing attackers have flooded over 100 organizations across the globe with a staggering 120,000 phishing emails. The primary aim was to gain control over executive-level accounts within Microsoft 365, creating a pathway for more sinister attacks within the targeted organizations.
Researchers unveiled the tactics used in this ongoing attack scheme. The attackers employed a variety of phishing methods, including disguising as reputable brands, evading security scans, and a multi-step infection chain. These attempts allowed them to successfully seize control of cloud accounts belonging to high-ranking executives. The scope of this campaign is truly alarming. Over the past six months, the number of compromised accounts has surged by more than 100%, impacting organizations with a combined workforce of 1.5 million employees across the world.
EvilProxy, a phishing-as-a-service tool utilized by the attackers, played a pivotal role in bypassing multi-factor authentication (MFA), a widely hailed security measure. This tool leveraged techniques like reverse proxy and cookie injection to slip past MFA barriers, rendering it ineffective in preventing these attacks. Even when MFA was in place, the attackers used pages that could request MFA credentials to validate stolen information and successfully authenticate themselves.
Once the attackers acquired the targeted credentials, they wasted no time in accessing executives' cloud accounts, achieving unauthorized entry within seconds. To maintain their hold on these compromised accounts, the attackers exploited a native Microsoft 365 application to add their own MFA to the "My Sign-Ins" section. Their preferred method for this was utilizing the "Authenticator App with Notification and Code."
Strikingly, the researchers found that even among users with MFA enabled, at least 35% fell victim to account takeovers, debunking the assumption that MFA alone provides foolproof protection.
Dissecting the EvilProxy Attack
The EvilProxy attack pattern generally started with the attackers impersonating trusted services like Concur, DocuSign, and Adobe. These malicious emails, often sent from spoofed addresses, contained links to deceptive Microsoft 365 phishing websites. Clicking on these links initiated a multi-step process involving legitimate redirects, malicious cookies, and strategic 404 errors to obscure the attack's trail.
The attackers exhibited extreme precision, focusing on C-suite executives in around 39% of their attacks. Among these targets, 17% were CFOs, and 9% were presidents and CEOs.
The scale and effectiveness of the EvilProxy campaign underscore the increasing sophistication of phishing attacks. The incident serves as a stark reminder that no security measure is impenetrable, prompting organizations to adopt advanced security strategies. Cybersecurity experts recommend proactive monitoring for unusual activities and emerging threats, along with bolstering defenses to counteract evolving cybercriminal tactics.
In Conclusion
This alarming campaign highlights the urgency for organizations to elevate their cybersecurity practices, combatting the ever-evolving tactics of malicious attackers like those behind the EvilProxy campaign.
RCS has been helping businesses stay protected and cyber-safe since 1999. If you need help with your business cyber security contact us at info@rcsprofessional.com or visit https://www.rcsprofessional.com/contact-us
