Microsoft Office Users Targeted by Large-Scale Phishing Campaign Leveraging EvilProxy

A sophisticated and large-scale phishing campaign utilizing the EvilProxy phishing-as-a-service (PhaaS) infrastructure has been targeting Microsoft 365 users for the past six months, leading to numerous successful account takeovers. The campaign, which impacted over 100 organizations globally, predominantly focused on senior executives, with threat actors sending more than 120,000 phishing emails between March and June 2023.

The phishing campaign employed a multi-step infection chain, utilizing phishing emails with malicious URLs posing as legitimate platforms such as Adobe Sign, Concur, and DocuSign. To evade detection, the campaign included embedded malicious links that redirected Microsoft 365 users through legitimate websites like youtube.com and bs.serving-sys.com. The attackers also employed tactics like malicious cookies and 404 redirects to scatter traffic.

Furthermore, the attackers integrated EvilProxy, a PhaaS platform and reverse proxy architecture, into the final stages of their attack. This allowed them to hijack multi-factor authentication (MFA) credentials and harvest session cookies. These actions allowed them to potentially authenticate themselves as legitimate users by requesting MFA credentials and facilitating real authentication.

Adversary-in-the-Middle Attacks and Targeting Senior Executives

The campaign's sophistication was evident in its use of Adversary-in-the-Middle (AitM) phishing kits to bypass MFA, even for accounts with MFA enabled. The attackers encoded users' email addresses and the legitimate websites using uploaded PHP scripts to avoid automated scanning tools.

Interestingly, the phishing campaign mainly targeted senior business executives, including C-level officers. Of the compromised Microsoft 365 users, 39% were C-level executives, with 17% being chief financial officers and 9% presidents and CEOs. This strategic focus on executives indicates the attackers' intent to gain access to sensitive assets and information.

Mitigation and Recommendations

Cybersecurity experts have raised concerns about the campaign's audacity and scale, emphasizing the evolving sophistication of cyberattacks. Despite the use of MFA, the attackers managed to breach organizations and compromise accounts. To counter such threats, experts recommend the following measures:

• Cloud Security Solutions: Implement robust cloud security solutions to detect and prevent phishing attacks.
• BEC Prevention Solutions: Deploy Business Email Compromise prevention solutions to safeguard against phishing and email-based attacks.
• Security Awareness Training: Conduct regular security awareness training for employees to enhance their ability to recognize and respond to phishing attempts.
• FIDO-based Physical Security Keys: Implement FIDO-based physical security keys to enhance authentication security.
• Isolating Potentially Malicious Sessions: Isolate potentially malicious sessions from email-bound links to prevent further compromise.

As cybercriminals continue to find new ways to exploit vulnerabilities, organizations need to stay vigilant and proactive in their approach to data and IT security. The phishing campaign highlights the need for constant adaptation and the importance of layered security measures to protect sensitive data and user credentials.