Fraud Management & Cybercrime , Social Engineering
Attackers Use EvilProxy to Target C-Suite Executives
Phishing Kit Primarily Used in Attacks Against Employees of Fortune 500 CompaniesThreat actors are taking control of cloud-based Microsoft 365 accounts of C-suite executives using a multifactor authentication phishing tool.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
A campaign using adversary-in-the-middle kit EvilProxy shot 120,000 fraudulent emails to hundreds of companies, collectively representing 1.5 million employees, between March and June.
Researchers from Proofpoint said the phishing emails mimic well-known and trusted services such as DocuSign and Adobe.
EvilProxy facilitates the theft of MFA-protected credentials by sending users to attacker-controlled websites that act as an intermediary between the victim and a legitimate logon page. Hackers redirect the traffic through multiple sites before it arrives at the proxy site in a bid to escape detection. Among the domains it uses to redirect traffic is bs.serving-sys.com
, "a domain known for redirecting users to a range of undesired webpages." the researchers said. Hackers also use the YouTube domain.
Researchers observed attackers using automation to identify in real time whether a phished user is a high-level profile, likely a C-level executive or a vice president, and obtain access to the account. Proofpoint reported a doubling in the number of cases in which unauthorized individuals gained control of executives' cloud-based accounts, potentially leading to unauthorized access, data breaches and other security breaches.
"Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will," the researchers said. On multiple occasions, hackers added their own MFA method to a compromised Microsoft 365 account in order to establish persistence.
EvilProxy appeared in early May and has been used in attacks "against multiple employees from Fortune 500 companies," Gene Yoo, CEO of Resecurity, a Los Angeles-based security consultancy told ISMG in 2022.
"Amongst the hundreds of compromised users, approximately 39% were C-level executives of which 17% were chief financial officers, and 9% were presidents and CEOs. Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information," the researchers said.