Attackers compromised a contractor’s mailbox and hijacked an active executive approval thread to deliver a phishing link that led through multi-step redirects and Cloudflare Turnstile gates to an EvilProxy AiTM Microsoft credential‑theft page. ANY.RUN researchers detonated the message in a sandbox, revealed the full execution chain, and linked the incident to an ongoing EvilProxy campaign to support faster SOC detection and IOC/IOB sharing. #EvilProxy #CloudflareTurnstile #ANYRUN #Microsoft
Keypoints
- A contractor’s sales manager account was likely compromised and used to reply inside a live C-suite email thread, enabling conversation hijacking and inheriting trust from the thread.
- Observed execution chain: SCA phishing email → 7 forwards (thread momentum) → phishing link → Cloudflare Turnstile anti‑bot landing → Turnstile‑protected phishing page → EvilProxy AiTM for Microsoft credential capture.
- Attackers used multi-step redirects and Cloudflare Turnstile gating to prevent static or automated scanners from seeing the final credential‑capture page.
- The primary objective was Microsoft credential theft via an adversary‑in‑the‑middle (AiTM) EvilProxy phishkit that captures credentials even when users attempt legitimate sign‑in flows.
- ANY.RUN detonation revealed the full chain (often in under 60 seconds), enabling evidence‑based triage, faster confirmation, and linkage to a broader campaign.
- Indicators include pivoting domains and URL patterns (e.g., /bot, /robot, and loginmicrosoft*), mapping this incident to an EvilProxy campaign active since December 2025 with primary targeting in the Middle East.
MITRE Techniques
- [T1078 ] Valid Accounts – Attacker used a compromised contractor mailbox to reply inside an existing executive thread, gaining initial access and legitimacy (‘compromised contractor account that was already involved in business correspondence.’).
- [T1566.002 ] Phishing: Spearphishing Link – The campaign delivered a malicious link inside a trusted thread to induce a user to follow a review/approval link (‘phishing link … placed where it looks expected: tied to “review,” “final approval,” or “document access.”’).
- [T1204.002 ] User Execution: Malicious Link – Social engineering guided targets to click the link as part of routine review/approval actions (‘encouraging the potential victim to open the fake document’).
- [T1557 ] Adversary-in-the-Middle – EvilProxy operated as an AiTM to intercept and steal Microsoft credentials during the fake authentication flow (‘EvilProxy AiTM for Microsoft credential theft.’).
Indicators of Compromise
- [Email Account ] conversation hijack context – contractor’s sales manager account used to reply inside a C-suite approval thread (compromised vendor mailbox).
- [URL path / Domain pattern ] phishing infrastructure context – examples: URL paths ‘/bot’ and ‘/robot’, and domain/path patterns like ‘loginmicrosoft*’ (pivoting domains and rapidly changing redirect hosts).
- [Phishing kit / Campaign ] campaign attribution context – EvilProxy AiTM phishkit referenced (active since Dec 2025; targeting primarily the Middle East).
- [Service gating ] anti‑bot gating context – Cloudflare Turnstile used as intermediary landing and gating pages to screen automated analysis and delay exposure of the credential‑capture page.
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/enterprise-email-thread-phishing/