New account takeover campaign targets over 100 corporations’ top executives

The top-level executives at more than 100 global organizations have been shaken by cloud account takeover incidents.

Leveraging the power of EvilProxy, a cunning phishing tool employing reverse proxy architecture, attackers managed to breach multifactor authentication (MFA) defenses, reflecting the escalating arms race between hackers and organizations.


EvilProxy Unveiled:

EvilProxy, a potent phishing tool, demonstrates how threat actors are increasingly employing Adversary-in-the-Middle (AitM) phishing kits (such as EvilProxy), to steal credentials and session cookies in real time.

Through a do-it-yourself approach, attackers developed MFA Phishing as a Service (PhaaS).

It allows access to pre-configured kits for various online services, making MFA phishing more accessible. 

Proofpoint researchers have been monitoring an ongoing hybrid campaign using EvilProxy to target thousands of Microsoft 365 user accounts. 

This campaign’s overall spread with approximately 120,000 phishing emails sent to hundreds of targeted organizations across the globe between March and June 2023. 

Initially, attackers impersonated known trusted services, such as the business expense management system Concur, DocuSign, and Adobe. 

Brand impersonation via spoofed email addresses that contained links to malicious Microsoft 365 phishing websites, scan blocking to thwart cybersecurity solutions, and a multi-step infection chain through legitimate redirectors ((such as youtube[.]com, bs.serving-sys[.]com, etc)) contributed to the attack’s success. 

Figure 7
An example of a phishing threat sent to targeted users by attackers, utilizing brand impersonation (posing as “DocuSign”), as part of a widespread malicious campaign. 
FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

VIP Targeting and Account Compromise:

High-value targets, particularly C-level executives and VPs, were squarely in the crosshairs of this campaign. 

These titleholders are especially valued by threat actors due to their potential access to sensitive data and financial assets. 

The attackers gained access to compromised accounts within seconds, leveraging automation for swift execution.

Figure 8
The chart illustrates the roles that have been compromised. 

Once infiltrated, attackers skillfully manipulated multi-factor authentication methods, cementing their foothold within the victim organization’s cloud environment. 

Native Microsoft 365 applications became tools for attackers to manipulate MFA, ensuring prolonged access. 

Figure 10
Attacker-controlled MFA method added post-compromise (Authenticator App with notification and code).

This phase marked the attacker’s ability to exploit unauthorized access, with techniques ranging from lateral movement to financial fraud.

This evolving threat landscape underscores the need for heightened vigilance, even in the presence of MFA. 

EvilProxy’s surge signals a new era in reverse proxy threats, exposing gaps in defense strategies. 

EvilProxy phases
EvilProxy Attack Chain Phases. 

Attackers’ pivot to advanced phishing kits necessitates a proactive approach in countering hybrid attacks. 

Even MFA is not a silver bullet against sophisticated threats and could be bypassed by various forms of combined email-to-cloud attacks. 

Organizations must prioritize email, cloud, and web security while fostering user awareness to thwart these relentless threats.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.