Increasingly sophisticated phishing-as-a-service (PhaaS) toolkits, particularly one known as EvilProxy, are being employed by threat actors to execute account takeover attacks targeting senior executives within major corporations. This trend underscores a growing vulnerability among high-ranking officials in the corporate landscape, particularly as the proliferation of remote work and digital transactions escalates.
According to insights from cybersecurity firm Proofpoint, a sustained hybrid campaign utilizing EvilProxy has recently targeted thousands of Microsoft 365 user accounts. Between March and June 2023, approximately 120,000 phishing emails were dispatched globally, impacting hundreds of organizations. Alarmingly, nearly 39% of the compromised accounts belonged to C-level executives, specifically 9% of which were CEOs and 17% CFOs, indicative of an intentional focus on high-value targets. Personnel with access to sensitive financial resources also drew particular attention, even amid the presence of additional security measures such as multi-factor authentication (MFA).
The elevation in attacks correlates directly with the widespread adoption of MFA across many enterprises, compelling attackers to adapt their methodologies. By incorporating adversary-in-the-middle (AitM) phishing techniques, these actors are able to capture not only user credentials but also session cookies and one-time passwords, rendering traditional defenses insufficient.
Proofpoint’s security experts highlighted that attackers leverage advanced automation tools to promptly identify high-profile victims in real-time, allowing them to swiftly gain access while disregarding less lucrative targets. This underscores a crucial shift in the threat landscape; even sophisticated organizational defenses, including MFA, do not provide a foolproof barrier against these new methodologies.
Initially noted by Resecurity in September 2022, EvilProxy has been observed compromising user accounts across multiple platforms, including Apple iCloud, Facebook, and Google, among others. Priced at a subscription model of approximately $400 a month — and up to $600 for specific accounts like Google — these services significantly lower the barrier to entry for cybercriminals, facilitating large-scale phishing campaigns.
The modus operandi of these recent attacks typically involves phishing emails disguised as reputable services such as Adobe and DocuSign. These emails entice victims into clicking malicious links that lead to a series of deceptive redirects culminating in a counterfeit Microsoft 365 login page. This setup acts as a reverse proxy, effectively capturing user input for malicious purposes.
Notably, these attacks exhibit a curious anomaly: they consistently bypass user traffic originating from Turkish IP addresses, directing it instead to legitimate sites. This selective filtering suggests that the operations may be managed by threat actors located within Turkey, raising critical questions about geolocation tactics employed by cybercriminals.
Once an account takeover is successful, attackers often proceed to establish a persistent foothold in the victim’s cloud environment. This includes introducing their own MFA methods through two-factor authentication applications, ensuring continued access for lateral movement and potential propagation of malware. The compromised access is subsequently monetized through various schemes, including financial fraud or the sale of stolen credentials to fellow attackers.
The emergence of reverse proxy threats, particularly those utilizing EvilProxy, signifies a substantial advancement over previously less sophisticated phishing toolkits. Even as businesses reinforce their cyber defenses, the potential for exploitation remains high. While the primary point of entry may be email-based, the ultimate objective of these attacks is centered on breaching valuable cloud user accounts and assets.
This alarming landscape is further compounded by another ongoing phishing initiative linked to Russian origins. This campaign, active since May 2022, utilizes fake links disseminated through WhatsApp messages to extract credit card and banking information from unsuspecting users. Targeting over 800 scam domains and impersonating more than 340 companies across 48 languages, these actors demonstrate a high level of sophistication in producing convincing websites that exploit users’ trust.
The proliferation of such advanced cyber threats necessitates a proactive and informed approach to cybersecurity. Moreover, the recent observation of social engineering attacks targeting marketing professionals on platforms like LinkedIn reveals the evolving strategies employed by threat actors, underscoring the need for heightened awareness and systematic defenses against diverse modalities of attack.
