Cybercriminals Increase EvilProxy Phishing to Target Executives

Business leaders need to be aware of one of the most impactful phishing campaigns ever seen. Cybercriminals are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at businesses, local government agencies, and even non-profits.

According to Proofpoint, an ongoing hybrid campaign has leveraged the EvilProxy service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023.

Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.

No alt text provided for this image

Cybercriminals are using the campaigns as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting cybercriminals to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle (AitM) phishing kits to siphon credentials, session cookies, and one-time passwords.

“Attackers use new advanced automation to accurately determine in real-time whether a phished user is a high-level profile, and immediately obtain access to the account, while ignoring less lucrative phished profiles,” the enterprise security firm said.

EvilProxy was first documented by Resecurity in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.

How to Protect Your Organization Against EvilProxy Phishing Attacks

  • User education: Your employees and customers are your first line of defense. Make sure they get security awareness training about all types of phishing attacks, including deceptive emails and fake login pages. This can significantly reduce their chances of being a victim.
  • Robust email security: Advanced email security solutions can detect and block phishing attempts before they reach users’ inboxes. Look for a solution that uses machine learning algorithms to identify and stop these threats, like SPOT Shield Email Security from The Fulcrum Group.
  • Cloud security: A good cloud security platform can identify account takeover (ATO) attacks as well as prevent unauthorized access to your sensitive cloud resources. It covers both initial- and post-compromise activities. And it lets your security team get a closer look into which services and applications are being abused by attackers. Make sure to look for a solution that automates remediation. This reduces attackers’ dwell time and keeps damages to a minimum.
  • Multi-layered authentication (MFA): Strong authentication measures, like MFA, can be a big boost to your security posture. But keep in mind that the scenario we just discussed shows how traditional MFA solutions can be ineffective. That’s why it’s important to use cloud ATO automated tools, which can remediate these types of incidents promptly.
  • Ongoing threat assessments: Keep your eye on the ball when it comes to watching for new threats. Regular threat assessments can help you identify your company’s vulnerabilities and enhance your incident response capabilities.

Want to learn more about External, Internal, and Cloud Penetration tests that can help you understand where you may have cybersecurity risks? Schedule a complimentary Cybersecurity Discovery Call.