EvilProxy is a phishing-as-a-service platform that employs reverse proxies to relay authentication requests and user credentials between the user (target) and the legitimate service website. As the phishing server proxies the legitimate login form, it can steal authentication cookies once a user logs into their account. Furthermore, as the user already had to pass MFA challenges when logging into an account, the stolen cookie allows the threat actors to bypass multi-factor authentication.
EvilProxy is sold to cyber criminals for $400/month, promising the ability to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts.
A new phishing campaign observed by Proofpoint since March 2023 is using the EvilProxy service to send emails that impersonate popular brands like Adobe, DocuSign, and Concur. If the victim clicks on the embedded link, they go through an open redirection via YouTube or SlickDeals, followed by a series of subsequent redirections that aim to lower the chances of discovery and analysis. Eventually, the victim lands on an EvilProxy phishing page that reverse proxies the Microsoft 365 login page, which also features the victim’s organization theme to appear authentic. “In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email, and used legitimate websites that have been hacked, to upload their PHP code to decode the email address of a particular user,” explains Proofpoint. After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization.
Once a Microsoft 365 account is compromised, the threat actors add their own multi-factor authentication method (via Authenticator App with Notification and Code) to establish persistence. Reverse proxy phishing kits, and EvilProxy in particular, are a growing threat capable of delivering high-quality phishing at dangerous scales while bypassing security measures and account protections.
Organizations can only defend against this threat through higher security awareness, stricter email filtering rules, and adopting FIDO-based physical keys.