Protect from EvilProxy Phishing Kit That Target High-Level Executives

Here’s How to Protect Your Organization

The alarming increase in the use of a phishing-as-a-service (PhaaS) toolkit called EvilProxy to execute account takeover attacks on executives at prominent companies has become a significant cybersecurity concern.

Between March and June 2023, Proofpoint has identified an ongoing hybrid campaign that has targeted thousands of Microsoft 365 user accounts, sending about 120,000 phishing emails to hundreds of organizations around the globe. Shockingly, almost 39% of the compromised users are C-level executives, including CEOs (9%) and CFOs (17%). The attacks also strategically target personnel with access to financial resources or confidential information. Even those with extra account protection were not immune, with 35% of all breached users having additional safeguards enabled.

The campaigns are a direct reaction to the widespread adoption of multi-factor authentication (MFA) in enterprises. Threat actors are adapting their tactics to overcome these new security layers, utilizing advanced adversary-in-the-middle (AitM) phishing kits to steal credentials, session cookies, and one-time passwords.

The growing prevalence of EvilProxy, first documented by Resecurity in September 2022, and other PhaaS toolkits has lowered the entry threshold for criminals, enabling them to carry out sophisticated phishing attacks cost-effectively and at scale. Such toolkits offer attackers a point-and-click interface with customizable options, paving the way for successful MFA phishing activities.

The increasing danger of these attacks is evident in their multi-stage process, with phishing emails posing as trusted services leading recipients to a fraudulent Microsoft 365 login page to capture information discreetly.

Interestingly, the campaign has been seen to deliberately avoid user traffic from Turkish IP addresses, hinting at the campaign operators’ possible location.

A successful account takeover doesn’t end there; the threat actor takes further steps to solidify their presence in the organization’s cloud environment, even adding their own MFA method to maintain persistent remote access.

These threats highlight the constant evolution of cybercriminal tactics and the shortcomings of existing defense strategies. Here are some recommendations to help protect your organization:

1. Educate Employees: Continuous training on recognizing and avoiding phishing emails can be a first line of defense.
2. Implement Advanced Security Measures: Beyond MFA, consider additional layers of security such as endpoint detection, continuous monitoring, and AI-driven threat analysis.
3. Regularly Update Security Protocols: Stay updated with the latest cybersecurity threats and ensure all security measures are up-to-date.
4. Employ Threat Intelligence Services: Engaging with threat intelligence providers can offer in-depth insights into emerging threats and tailored protection strategies.
5. Promote a Strong Security Culture: Foster a culture where all staff understand their role in maintaining cybersecurity and feel empowered to report potential threats.

The rapidly advancing nature of phishing threats such as EvilProxy underlines the need for a robust and flexible security approach. By taking the above measures, organizations can significantly reduce their risk and respond proactively to the ever-changing landscape of cyber threats.