Is Multifactor Authentication (MFA) Enough to Shield You from Evolving Phishing Attacks?

In a concerning turn of events, attackers have recently launched an extensive phishing campaign named EvilProxy, causing a storm of trouble for thousands of Microsoft 365 users worldwide. This campaign targeted high-profile user accounts, mainly those belonging to top executives, with the ultimate goal of infiltrating deeper into organizations' internal systems.

Over a span of three months from March to June of 2023, phishing attackers have flooded over 100 organizations across the globe with a staggering 120,000 phishing emails. The primary aim was to gain control over executive-level accounts within Microsoft 365, creating a pathway for more sinister attacks within the targeted organizations.

Researchers unveiled the tactics used in this ongoing attack scheme. The attackers employed a variety of phishing methods, including disguising as reputable brands, evading security scans, and a multi-step infection chain. These attempts allowed them to successfully seize control of cloud accounts belonging to high-ranking executives. The scope of this campaign is truly alarming. Over the past six months, the number of compromised accounts has surged by more than 100%, impacting organizations with a combined workforce of 1.5 million employees across the world.

EvilProxy, a phishing-as-a-service tool utilized by the attackers, played a pivotal role in bypassing multi-factor authentication (MFA), a widely hailed security measure. This tool leveraged techniques like reverse proxy and cookie injection to slip past MFA barriers, rendering it ineffective in preventing these attacks. Even when MFA was in place, the attackers used pages that could request MFA credentials to validate stolen information and successfully authenticate themselves.

Once the attackers acquired the targeted credentials, they wasted no time in accessing executives' cloud accounts, achieving unauthorized entry within seconds. To maintain their hold on these compromised accounts, the attackers exploited a native Microsoft 365 application to add their own MFA to the "My Sign-Ins" section. Their preferred method for this was utilizing the "Authenticator App with Notification and Code."

Strikingly, the researchers found that even among users with MFA enabled, at least 35% fell victim to account takeovers, debunking the assumption that MFA alone provides foolproof protection.


Dissecting the EvilProxy Attack

The EvilProxy attack pattern generally started with the attackers impersonating trusted services like Concur, DocuSign, and Adobe. These malicious emails, often sent from spoofed addresses, contained links to deceptive Microsoft 365 phishing websites. Clicking on these links initiated a multi-step process involving legitimate redirects, malicious cookies, and strategic 404 errors to obscure the attack's trail.

The attackers exhibited extreme precision, focusing on C-suite executives in around 39% of their attacks. Among these targets, 17% were CFOs, and 9% were presidents and CEOs.

The scale and effectiveness of the EvilProxy campaign underscore the increasing sophistication of phishing attacks. The incident serves as a stark reminder that no security measure is impenetrable, prompting organizations to adopt advanced security strategies. Cybersecurity experts recommend proactive monitoring for unusual activities and emerging threats, along with bolstering defenses to counteract evolving cybercriminal tactics.


In Conclusion

This alarming campaign highlights the urgency for organizations to elevate their cybersecurity practices, combatting the ever-evolving tactics of malicious attackers like those behind the EvilProxy campaign.

RCS has been helping businesses stay protected and cyber-safe since 1999. If you need help with your business cyber security contact us at or visit

Popular posts from this blog

Voice Cloning – A Growing Cybersecurity Threat

Challenges emerge in the ever-evolving landscape of cybersecurity, just when one believes they have a firm grasp on managing diverse digital risks. We would like to shed light on a rising concern known as voice cloning. This advanced technique employs artificial intelligence (AI) to replicate an individual's voice and manipulate it to articulate any desired message. However, as we delve deeper into this technology, it becomes apparent that its implications carry significant risks. The dangers associated with voice cloning are increasingly being acknowledged, prompting a need for heightened awareness and vigilance.