Microsoft accounts targeted by EvilProxy phishing kits

Multifactor authentication (MFA) defenses are being bypassed by a ready-made phishing tool that has targeted thousands of victims, says Proofpoint cybersecurity firm.

Dubbed EvilProxy, the phishing kit has been increasingly used by threat actors to go after targets in the cloud with a view to remotely hijacking them. Proofpoint has witnessed more than 1.5 million employees targeted in total.

Microsoft users appear to have borne the brunt of many of these attacks. Between March and June, Proofpoint observed around 120,000 phishing emails sent to hundreds of organizations using Microsoft 365 worldwide.

It believes that this is an increasingly successful cybercriminal response to the growing uptake of MFA by businesses anxious to avoid falling foul of ransomware actors and other cyberattackers.

“MFA use has increased over the past few years in organizations [but] contrary to what one might anticipate, there has been an increase in account takeovers among tenants that have MFA protection,” said Proofpoint.

It adds that around a third of all system users it saw compromised during the past year had MFA enabled — yet another strong indicator that the battle between offense and defense in the cyberworld is one of continual escalation.

“We explored how the growing adoption of MFA led to the proliferation of phishing kits and tools designed to bypass this popular layer of security,” said Proofpoint, referencing its previous research. “Threat actors are advancing their methods for compromising accounts.”

Graphic demonstrating how EvilProxy works
Graphic from Proofpoint that demonstrates how EvilProxy works against the target

Not just a spreadshot attack

One such method that particularly drew its attention was where attackers use automation to determine on the spot whether a phished user is a top-level executive, enabling them to focus on high-ranking targets that could provide them with more leverage against an organization.

This enables a cybercriminal to immediately tighten their grip on such high-value accounts, while disregarding or ignoring “less lucrative phished profiles.”

So successful has the criminal response to MFA been that Proofpoint has also noted the rise in digital crooks specializing in such attacks, also known as “MFA Phishing as a Service.”

Worse, off-the-shelf kits such as EvilProxy, which sets up fake domains and reverse engineering facilities and sends out a phishing link to potential victims that ultimately enables an attacker to infiltrate a target system, facilitate this service. In other words, no real expertise is required to offer it.

“Threat actors have seized on a market opportunity and developed MFA Phishing as a Service (PhaaS),” said Proofpoint. “This has allowed would-be credential phishers of even low technical aptitude to simply pay for pre-configured kits for a variety of online services such as Gmail, Microsoft, Dropbox, Facebook, and Twitter.”