Indeed.com Open Redirect Flaw Exploited by Phishers to Attack US Executives

A recent phishing campaign targeting Microsoft365 accounts of senior executives in the US was seen exploiting the open redirection vulnerability in the popular job site, Indeed.com.

Discovered by researchers at Menlo Security, the campaign which started in July 2023 was seen using the EvilProxy phishing framework. This reverse proxy service enables phishers to harvest session cookies and to successfully bypass non-phishing resistant multi-factor authentication (MFA).

According to the report, the campaign was directed at C-suite and other high-ranking executives from banking and financial, insurance, property management and real estate, electronic components, and other manufacturing industries in the US.

The targeted victims were initially sent a phishing email containing a seemingly legitimate indeed.com link. When clicked, it would take the victim to a fake Microsoft login page deployed using the EvilProxy phishing-as-a-service platform.

The website, which acts as a reverse proxy, allows the actor to intercept the target’s actual requests and responses. It collects all the content dynamically from the legitimate Microsoft website and uses it to impersonate the victim and access their Microsoft365 accounts.

While investigating, the cybersecurity company confirmed the use of EvilProxy mechanism by highlighting attributions like domains hosted on Nginx servers, Microsoft’s Ajax CDN for dynamic collection of page content, etc.

‘’The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site. This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.,’’ Menlo Security revealed.

To conclude, Menlo stated that this form of attack which initially starts from an account compromise, can result in business email compromise leading to huge financial losses. ‘’Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses.’’