Business Challenge Story

EvilProxy is a phishing-as-a-service platform that employs reverse proxies to relay authentication requests and user credentials between the user (target) and the legitimate service website. As the phishing server proxies the legitimate login form, it can steal authentication cookies once a user logs into their account. Furthermore, as the user already had to pass MFA challenges when logging into an account, the stolen cookie allows the threat actors to bypass multi-factor authentication.

EvilProxy is sold to cyber criminals for $400/month, promising the ability to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts.

A new phishing campaign observed by Proofpoint since March 2023 is using the EvilProxy service to send emails that impersonate popular brands like Adobe, DocuSign, and Concur. If the victim clicks on the embedded link, they go through an open redirection via YouTube or SlickDeals, followed by a series of subsequent redirections that aim to lower the chances of discovery and analysis. Eventually, the victim lands on an EvilProxy phishing page that reverse proxies the Microsoft 365 login page, which also features the victim’s organization theme to appear authentic. “In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email, and used legitimate websites that have been hacked, to upload their PHP code to decode the email address of a particular user,” explains Proofpoint. After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization.

Once a Microsoft 365 account is compromised, the threat actors add their own multi-factor authentication method (via Authenticator App with Notification and Code) to establish persistence. Reverse proxy phishing kits, and EvilProxy in particular, are a growing threat capable of delivering high-quality phishing at dangerous scales while bypassing security measures and account protections.

Organizations can only defend against this threat through higher security awareness, stricter email filtering rules, and adopting FIDO-based physical keys.

gears,business man in the background

Incident Description

One of Aura’s customer encountered an incident involving a staff member who received an email from a genuine client. The email contained a SharePoint link to an anticipated document, complete with a specific code related to their collaborative task. Given these details, the staff member perceived the email as trustworthy. Subsequently, they clicked on the provided SharePoint link, which led them to a page prompting a Microsoft 365 (M365) account login. The login process involved Multi-Factor Authentication (MFA), using the passwordless method through the Microsoft Authenticator app. After successfully completing the MFA check, the staff member was surprised to discover that the expected document was nowhere to be found. Upon contacting the client, the advice was to delete the email.

At this time, Aura was brought in to investigate. A review of the Azure security sign-in logs unveiled multiple unsuccessful login attempts to the user’s account. The MFA acted as a deterrent, preventing unauthorized access to the Microsoft account. Or so it seemed. Upon closer inspection of the logs, it was evident that the attacker managed to bypass MFA on their fourth attempt. This prompted a detailed inquiry to piece together the full scope of the incident.

After a comprehensive analysis, the likely sequence of events unfolded as follows: The client’s account had been entirely compromised, allowing the attacker to access the email history and gain insights into the ongoing communications with various clients. Armed with this knowledge, the attacker assumed control of the account and initiated a phishing scheme. The phishing email was expertly crafted to mimic a legitimate SharePoint message, complete with a document the recipient was anticipating. Examination of the URL revealed that the “SharePoint” link pointed to a falsified website hosted on a compromised server belonging to a renovation company located in Boise, ID.

This spoofed website was operating an “evil proxy” service, granting attackers the ability to circumvent MFA protection. This process involved users authenticating themselves through their email, password, and MFA on a compromised server via the forged site. The authorization details were captured within the cookies exchanged between the web browser and the spoofed site. Since the site was a non-legitimate, the attacker not only harvested the user’s credentials but also acquired the cookies used during the MFA process.

With these resources, the attacker obtained unrestricted access to the account.

Incident Resolution

Immediate steps were taken to revoke access and enhance account security which included the account being disabled from logons, a password reset, removal of all devices used during MFA for the account, re-setup of MFA devices for the account, and an extensive auditing check.

The IT team implemented the following measures:

  • Implemented a conditional access policy that restricts all authentication and connections from outside of Canada.
  • Reconfigure MFA for the affected user and remove all MFA-related tokens from their profile using PowerShell. This step was crucial to ensure that no unauthorized devices remained connected to the account for MFA verification.
  • Impersonation protection was implemented and all key roles (Executives, Mgmt., Supervisors, etc.) were included as well.
  • Implemented a comprehensive phishing education program that requires all employees to successfully complete and pass.

 

Incident Recommendation

This incident underscores the significance of user education, robust MFA implementation, and other cybersecurity measures needed in today’s digital landscape. These sort of attacks can primarily be mitigated through user education and the implementation of FIDO keys.

The IT team recommended the following going forward:

  1. Enforce MFA authentication methods for Microsoft 365 to only be accessible via the Microsoft Authentication App with Number Matching.
  2. Implementation of impersonation protection in the environment with all key roles included.
  3. Implementation of security awareness training that helps protect against evolving threats and contributes to a strong security culture within the organization.
  4. Implementation of regular/ongoing Cyber Security Monitoring and Auditing Tools in the environment.

 

Prevent the unexpected from ruining your company’s security. Find out more about how Aura’s Cybersecurity-as-a-service can benefit your company. Contact us today.

We’re ready to
work for you.

HEAD OFFICE

1742 10 Ave SW, Calgary, AB T3C 0J8

403-269-6123 option 2

info@auraadvanced.com

  • This field is for validation purposes and should be left unchanged.