Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.