EvilProxy Attacking Microsoft 365 accounts abusing open redirection in the Indeed.com

A recent phishing campaign, identified by Menlo Labs, has been actively targeting executives in senior roles across multiple industries, with a primary focus on Banking and Financial Services, Insurance providers, Property Management and Real Estate, and Manufacturing sectors. 

This campaign, which started in July and continued into August, employed a sophisticated phishing kit known as ‘EvilProxy.’ 

The attackers used EvilProxy to intercept requests between victims and legitimate websites, particularly targeting U.S.-based organizations. 

The primary method of attack involved exploiting an open redirection vulnerability on the popular job search platform “indeed.com,” redirecting victims to malicious phishing pages impersonating Microsoft.

Threat Intelligence

In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing attack involving an open redirection on the ‘indeed.com’ website. 

Sample of the phishing mail
Sample of the phishing mail

This technique deceives victims by making them believe the redirection is from a trusted source. The attackers utilized the phishing-as-a-service platform ‘EvilProxy,’ which is available on the dark web as a subscription-based service.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The campaign’s primary targets were C-suite employees and key executives in U.S.-based organizations across various sectors.

Infection Vector

The attack began with phishing emails containing deceptive links, seemingly from ‘indeed.com.’ When victims clicked these links, they were redirected to a fake Microsoft Online login page.

Distribution of the verticals targeted
Distribution of the verticals targeted

Attack Kill Chain

  1. The victim receives a phishing email with an ‘indeed.com’ link.
  2. The victim clicks the link, leading to a fake Microsoft login page.
  3. EvilProxy phishing framework is used to fetch content dynamically from the legitimate site.
  4. The phishing site acts as a reverse proxy, intercepting requests and responses.
  5. The attacker steals session cookies.
  6. Stolen cookies are used to log in to the legitimate Microsoft Online site, bypassing non-phishing-resistant MFA.

EvilProxy Attacking Microsoft 365 Users

The attack exploited an open redirection vulnerability, where an application redirects to an untrusted external domain. In this case, the victim clicked a URL that appeared to be ‘indeed.com’ but was redirected to a phishing page.

The attackers used the EvilProxy phishing kit, acting as a reverse proxy, to steal user session cookies, allowing them to bypass MFA.

The phishing redirection chain consisted of the phishing link, redirector URL, and phishing page.

Screenshot of the phishing page
Screenshot of the phishing page

The phishing pages impersonated Microsoft Online login pages and were hosted on Nginx servers capable of acting as reverse proxies.

Artifacts observed that can be attributed to EvilProxy usage include domain hosting on Nginx servers, specific URI paths, and the use of Microsoft’s Ajax CDN.

Menlo Protection

Menlo Labs has informed Indeed.com about the open redirection vulnerability and its active exploitation.

It successfully detected and prevented this phishing attack using HEAT Shield, cutting off the attack vector and providing Zero Hour Phishing Detection alerts to SOC analysts.

This phishing campaign used the ‘EvilProxy’ kit to exploit an open redirection vulnerability in ‘indeed.com,’ impersonating Microsoft to harvest credentials. 

There is a high likelihood of increased usage of ‘EvilProxy’ due to its simplicity and the ability to bypass MFA.

Recommendations

  1. Educate users through awareness sessions and training.
  2. Implement phishing-resistant MFA, such as FIDO-based authentication.
  3. Verify target URLs instead of assuming their safety.
  4. Use session isolation solutions like HEAT Shield for real-time protection against zero-hour phishing attacks.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.