Menlo Security warns that a social engineering campaign is using the EvilProxy phishing kit to target senior executives across a range of industries, including banking and financial services, insurance, property management and real estate, and manufacturing.
EvilProxy allows threat actors to conduct adversary-in-the-middle (AitM) attacks by “harvesting session cookies enabling threat actors to bypass MFA protections.”
The phishing campaign exploited an open-redirect vulnerability affecting the job listing site Indeed. This allowed the attackers to craft a phishing link that appeared to lead to Indeed’s legitimate website, but redirected to a spoofed Microsoft login page. The attack chain is as follows:
- “Victim receives the phishing mail containing the Indeed link."
- “The unsuspecting victim clicks on the indeed link inside the mail which redirects the victim to the fake Microsoft login page."
- “This phishing page is deployed with the help of the EvilProxy phishing framework fetching all the content dynamically from the legitimate login site."
- “The phishing site acts as a reverse proxy, proxying the request to the actual website."
- “The attacker intercepts the legitimate server’s requests & responses."
- “The attacker is able to steal the session cookies."
- “The stolen cookies can then be used to login to the legitimate Microsoft Online site, impersonating the victims & bypassing non-phishing resistant MFA.”
Menlo Security expects to see an increase in the use of EvilProxy to launch these types of attacks.
“Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses,” the researchers write.
“There is a high probability that we can see a surge in the usage of ‘EvilProxy’. Firstly, it is easy to use with a simple interface with tutorials and documentation easily available on the dark web. The ability to circumvent MFA makes this a powerful tool in the arsenal for cybercriminals.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Menlo Security has the story.