A recent phishing campaign dubbed “EvilProxy” has come to light, with its sights set on the Microsoft 365 accounts of top-level executives within US-based organizations. This campaign takes advantage of open redirects on the job listings website Indeed.com.
The threat actor employs the EvilProxy phishing service to gather cookies as part of their operation, which can subsequently be leveraged to circumvent multi-factor authentication (MFA) protocols.
According to the findings of Menlo Security researchers, the phishing campaign is primarily focused on infecting key personnel in diverse sectors such as electronic manufacturing, banking and finance, real estate, insurance, and property management.
Redirects are legitimate website mechanisms that automatically steer visitors to different internet destinations, often on third-party vendor websites. Vulnerabilities in website code, referred to as open redirects, can enable the creation of redirects to arbitrary locations. Malicious actors exploit these vulnerabilities to lead users towards phishing pages.
Due to its origins from a trusted source, the link can sidestep email security measures or seamlessly integrate into search results without arousing suspicion.
In the campaign unearthed by Menlo Security, threat actors are capitalizing on an open redirect within Indeed.com, the U.S. job posting website.
Targets receive seemingly legitimate emails containing an Indeed.com link. However, once accessed, the URL redirects users to a phishing site, which functions as a reverse server impersonating the Microsoft login page.
EvilProxy is a phishing service operating as a platform employing reverse proxies. Its primary role is to enable the exchange and transfer of user data between the target and the genuine web service. In this specific instance, we are referring to Microsoft.
When users access their accounts through this phishing server, which closely mimics the genuine login page, threat actors can capture the authentication cookies. As users have already completed the necessary multi-factor authentication (MFA) steps during their login, the stolen cookies grant cybercriminals complete access to the victim’s account.
Menlo has retrieved several artifacts from the attack that enhance EvilProxy’s reliability, including:
- Hosting on an Nginx server.
- Identification of specific URI paths that were previously associated with the service.
- A requirement for proxy authentication.
- Detection of a 444 status code in the server response.
- Identification of IDS (Intrusion Detection System) signatures designed to recognize EvilProxy URI content.
- The use of the FingerprintJS library to capture browser fingerprints.
- Deployment of specific POST requests containing encrypted email messages from victims in base64 form.
In August 2023, Proofpoint issued a warning about yet another campaign known as EvilProxy. In the course of this assault, approximately 120,000 phishing emails were disseminated across numerous organizations, with the primary aim of compromising the Microsoft 365 accounts of their employees.