Phishing Malware EvilProxy Targets MFA-Protected High-Level Executive Accounts

A popular phishing tool among threat actors, EvilProxy is being used to bypass MFA (multi-factor authentication) protected Microsoft 365 user accounts. The campaign, which was active between March and June 2023, saw around 120,000 phishing emails sent to 1.5 million employees in over 100 organizations globally.

Use of this reverse proxy architecture-based malware has seen a huge uptick of successful cloud account takeover incidents impacting high-level executives over the said period, observed researchers at Proofpoint.

Few of the noteworthy techniques employed by the attackers in this campaign include brand impersonation, multi-step infection chain, and protection against scanning bots.

In this campaign, the popular phishing-as-a-service tool (PhaaS) was used to send spoofed emails impersonating trusted brands like Concur Solutions, DocuSign, and Adobe.

As soon as the receiver clicks on the malicious URL, they are redirected through open redirections like YouTube, followed by several redirections involving malicious cookies and 404 redirects. These steps are employed with the aim to lower the chances of discovery.

Eventually, the target lands on the EvilProxy phishing page which according to the researchers ‘’functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers.’’

Proofpoint observed that special coding of the user email and hacked legitimate sites were employed by the attackers to evade automatic scanning tools and for uploading their PHP codes to decode the email address of a particular target. Once detected, the target was directed to the actual phishing page, tailor-made for the victim’s organization.

Some of the peculiarities noted in this campaign included a form of ‘safe listing’ where user traffic originating from Turkey was redirected to the safe legitimate site. This made the researchers believe that either the attackers were based out of Turkey or were intentionally avoiding Turkish users. Many VPNs worldwide were also blocked from accessing these phishing sites.

The research also revealed the campaign’s selective target approach, with priority given to ‘’VIP’’ targets. The compromised targets included 39% C-level executives of which 17% were chief financial officers, 9% were CEOs, and the rest were employees that had access to sensitive information and financial data.

On multiple occasions it was observed that the threat actors utilized the My Sign-In feature of compromised Microsoft 365 accounts to establish persistence.

In September 2022, Resecurity had discovered EvilProxy on the dark web, a new PhaaS available for $400 a month.