EvilProxy Phishing Kit Hits Over 100 Firms, Bypass MFA with Reverse Proxy


  • Proofpoint’s report highlights a rise in account takeovers, contradicting expectations of MFA’s effectiveness.
  • Malicious EvilProxy phishing kit emerges as a key player, exploiting MFA’s limitations.
  • EvilProxy employs a complex infection chain, utilizing legitimate redirectors and reverse proxy architecture.
  • High-level executives are targeted due to their access to sensitive data; 39% of compromised users held C-level positions.
  • Organizations urged to enhance email, cloud, and web security, and consider better authentication methods like FIDO-based keys.

Cybersecurity firm Proofpoint’s recent report has revealed a surge in account takeovers, defying the expectation that multi-factor authentication (MFA) would curb such incidents. The firm’s research showed that at least 35% of compromised users over the past year were equipped with MFA protection. It seems threat actors have found a way to exploit this defence.

The key protagonist in this narrative is the malicious phishing kit dubbed EvilProxy. As MFA gained traction, attackers responded with sophisticated methods to bypass this layer of security. EvilProxy, a reverse proxy-based phishing kit, has taken center stage in these endeavours, demonstrating its prowess by targeting thousands of users, including a significant number of C-suite executives.

Reverse Proxy (Proofpoint)

The method of attack involves a complex multi-step infection chain. Phishing emails, often impersonating trusted services like DocuSign and Adobe, contain malicious links that redirect users through a labyrinth of legitimate redirectors, including YouTube, malicious cookies, and 404 redirects. At the core of this campaign lies EvilProxy’s reverse proxy architecture. The kit intercepts MFA requests, obtains valid session cookies, and leverages them for authentication in the actual domain.

What is striking about this campaign is the attackers’ discrimination in targeting. They prioritized high-level executives due to their potential access to sensitive data and financial assets. Proofpoint’s study indicated that out of numerous compromised users, approximately 39% held C-level executive positions, including 17% who were chief financial officers and 9% who were presidents and CEOs.

EvilProxy Phishing Kit Hits Over 100 Firms, Bypass MFA with Reverse Proxy
Roles compromised in the attack (Proofpoint)

Once the attackers obtain access, their post-compromise activities include establishing persistence within the organization’s cloud environment. They leverage Microsoft 365 applications for MFA manipulation, further cementing their control. This persistent access opens avenues for lateral movement and potential malware deployment.

Proofpoint’s findings have shone a spotlight on the relentless evolution of cyber threats, highlighting that even the most secure of defences can be outmanoeuvred. The rise of EvilProxy as a tool of choice for such attacks has exposed critical vulnerabilities in organizational defence strategies. With a 100% increase in cloud account takeover incidents targeting high-level executives in the past six months, the battle between attackers and defenders continues to escalate.

Organizations are urged to strengthen their defences against these advanced hybrid threats by focusing on email security, cloud security, web security, and user awareness, and considering adopting better authentication methods, such as FIDO-based physical security keys. 

  1. Warning as hackers breach MFA to target cloud services
  2. Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks
  3. FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
  4. New Phishing Attack Spoofs Microsoft 365 Authentication System
  5. “Picture in Picture” Tactic Exploited in New Deceptive Phishing Attack



Source link