Fraud Management & Cybercrime , Social Engineering

Attackers Use EvilProxy to Target C-Suite Executives

Phishing Kit Primarily Used in Attacks Against Employees of Fortune 500 Companies
Attackers Use EvilProxy to Target C-Suite Executives
Image: Shutterstock

Threat actors are taking control of cloud-based Microsoft 365 accounts of C-suite executives using a multifactor authentication phishing tool.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

A campaign using adversary-in-the-middle kit EvilProxy shot 120,000 fraudulent emails to hundreds of companies, collectively representing 1.5 million employees, between March and June.

Researchers from Proofpoint said the phishing emails mimic well-known and trusted services such as DocuSign and Adobe.

EvilProxy facilitates the theft of MFA-protected credentials by sending users to attacker-controlled websites that act as an intermediary between the victim and a legitimate logon page. Hackers redirect the traffic through multiple sites before it arrives at the proxy site in a bid to escape detection. Among the domains it uses to redirect traffic is bs.serving-sys.com, "a domain known for redirecting users to a range of undesired webpages." the researchers said. Hackers also use the YouTube domain.

Researchers observed attackers using automation to identify in real time whether a phished user is a high-level profile, likely a C-level executive or a vice president, and obtain access to the account. Proofpoint reported a doubling in the number of cases in which unauthorized individuals gained control of executives' cloud-based accounts, potentially leading to unauthorized access, data breaches and other security breaches.

"Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will," the researchers said. On multiple occasions, hackers added their own MFA method to a compromised Microsoft 365 account in order to establish persistence.

EvilProxy appeared in early May and has been used in attacks "against multiple employees from Fortune 500 companies," Gene Yoo, CEO of Resecurity, a Los Angeles-based security consultancy told ISMG in 2022.

"Amongst the hundreds of compromised users, approximately 39% were C-level executives of which 17% were chief financial officers, and 9% were presidents and CEOs. Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information," the researchers said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.