A recent phishing campaign, identified by Menlo Labs, has been actively targeting executives in senior roles across multiple industries, with a primary focus on Banking and Financial Services, Insurance providers, Property Management and Real Estate, and Manufacturing sectors.
This campaign, which started in July and continued into August, employed a sophisticated phishing kit known as ‘EvilProxy.’
The attackers used EvilProxy to intercept requests between victims and legitimate websites, particularly targeting U.S.-based organizations.
The primary method of attack involved exploiting an open redirection vulnerability on the popular job search platform “indeed.com,” redirecting victims to malicious phishing pages impersonating Microsoft.
In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing attack involving an open redirection on the ‘indeed.com’ website.
This technique deceives victims by making them believe the redirection is from a trusted source. The attackers utilized the phishing-as-a-service platform ‘EvilProxy,’ which is available on the dark web as a subscription-based service.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The campaign’s primary targets were C-suite employees and key executives in U.S.-based organizations across various sectors.
The attack began with phishing emails containing deceptive links, seemingly from ‘indeed.com.’ When victims clicked these links, they were redirected to a fake Microsoft Online login page.
The attack exploited an open redirection vulnerability, where an application redirects to an untrusted external domain. In this case, the victim clicked a URL that appeared to be ‘indeed.com’ but was redirected to a phishing page.
The attackers used the EvilProxy phishing kit, acting as a reverse proxy, to steal user session cookies, allowing them to bypass MFA.
The phishing redirection chain consisted of the phishing link, redirector URL, and phishing page.
The phishing pages impersonated Microsoft Online login pages and were hosted on Nginx servers capable of acting as reverse proxies.
Artifacts observed that can be attributed to EvilProxy usage include domain hosting on Nginx servers, specific URI paths, and the use of Microsoft’s Ajax CDN.
Menlo Labs has informed Indeed.com about the open redirection vulnerability and its active exploitation.
It successfully detected and prevented this phishing attack using HEAT Shield, cutting off the attack vector and providing Zero Hour Phishing Detection alerts to SOC analysts.
This phishing campaign used the ‘EvilProxy’ kit to exploit an open redirection vulnerability in ‘indeed.com,’ impersonating Microsoft to harvest credentials.
There is a high likelihood of increased usage of ‘EvilProxy’ due to its simplicity and the ability to bypass MFA.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
A massive, coordinated botnet campaign is actively targeting Remote Desktop Protocol (RDP) services across the…
Along with the release of Kali Linux 2025.3, a major update introduces an innovative tool that…
ChaosBot surfaced in late September 2025 as a sophisticated Rust-based backdoor targeting enterprise networks. Initial…
Threat actors have reemerged in mid-2025 leveraging previously disclosed vulnerabilities in SonicWall SSL VPN appliances…
Menlo Park, USA, October 10th, 2025, CyberNewsWire AccuKnox, a leader in Zero Trust Cloud Native…
Socket's Threat Research Team has uncovered a sophisticated phishing campaign involving 175 malicious npm packages…