Cybercriminals recently successfully defeated Microsoft 365 cloud accounts protected with multi-factor authentication using the EvilProxy phishing suite, according to Proofpoint researchers.
Since the beginning of March, they have seen an ongoing mixed campaign using EvilProxy to target thousands of Microsoft 365 user accounts, especially those of CEOs and CEOs of large companies. In fact, attackers ignore the successful hacking of accounts of people they deem of less value, unless they have access to financial or sensitive company information.
Of the hundreds of users at risk, according to Proofpoint, approximately 39% were senior executives, of which 17% were CFOs and 9% were presidents and CEOs.
Once the targeted user provided their credentials, the attackers were able to log into their Microsoft 365 account in seconds, the researchers say, indicating a streamlined and automated process.
“The global reach of this campaign is impressive, with approximately 120,000 fraudulent emails sent to hundreds of targeted organizations worldwide between March and June,” the researchers said in a blog post this week.
During the phishing phase, attackers use the following techniques:
- Brand impersonation– From phishing addresses from trusted services and applications, such as Concur Solutions, DocuSign, and Adobe.
- scan blocking– Attackers used protection against cybersecurity scanning bots, making it difficult for security solutions to scan their malicious web pages.
- Multistep infection chainAttackers redirected traffic through legitimate open redirectors, including YouTube, followed by additional steps such as malicious cookies and 404 redirects.
Initially, phishing messages impersonated well-known trusted services such as Concur, DocuSign, and Adobe’s business expense management system. Using spoofed sender addresses, these emails contained links to malicious Microsoft 365 phishing sites. Finally, after several redirect transitions, the user is sent to the EvilProxy phishing framework. The landing page acts as a reverse proxy, mimicking the recipient’s branding and trying to manage third-party identity providers. If necessary, these pages may request AMF credentials to facilitate genuine, successful authentication on behalf of the victim – thus also validating the collected credentials as legitimate.
In the later waves of this campaign, in order to prevent detection by security solutions and trick the user into clicking on links, attackers use redirect links on reputable websites such as YouTube and SlickDeals.
Once attackers gain access to a victim’s account, they integrate their presence into the affected organization’s cloud environment, often leveraging a native Microsoft 365 application to perform AMF processing. They do this by adding their own multi-factor authentication method.
According to Proofpoint, IT and IT security professionals should take a number of steps to prevent this type of attack, including effective business email compromise prevention solutions. In addition, they must have solutions or processes in place to identify account takeover and unauthorized access to sensitive resources. In some cases, some employees must be required to have physical FIDO-based security keys to protect login access. Security awareness training of staff needs to be strengthened.
French adaptation and translation by Renaud Larue-Langlois.
“Hardcore beer fanatic. Falls down a lot. Professional coffee fan. Music ninja.”