Threat Research

EvilProxy Phishing Attack Strikes Indeed – Blog | Menlo Security

Securonix

Menlo Labs uncovered a targeted phishing campaign using the EvilProxy kit to impersonate Microsoft via Indeed open redirects, enabling session cookie theft and MFA bypass. The operation targeted US executives across financial services, property management/real estate, manufacturing, and related sectors, sold as a phishing‑as‑a‑service on the dark web by actors including John_Malkovich. #EvilProxy #Indeed

Keypoints

  • The campaign began in July and continued into August.
  • A sophisticated phishing kit named ‘EvilProxy’ functions as a reverse proxy to intercept client–server communications.
  • EvilProxy can harvest session cookies, enabling MFA bypass and credential theft.
  • The activity mainly targeted U.S.-based organizations across multiple sectors, including Banking/Financial, Insurance, Property Management/Real Estate, and Manufacturing.
  • The attackers exploited an open redirection vulnerability on indeed.com to redirect victims to phishing pages impersonating Microsoft.

    • <liThe phishing pages are delivered via a phishing‑as‑a‑service platform with administrator handle ‘John_Malkovich’ facilitating customer support and operation.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The infection vector is a phishing email with a deceptively crafted link from indeed.com to a fake Microsoft login page. Quote: “The infection vector was a phishing email delivered with a link that is deceptively crafted in such a way that it comes from a trusted source, in this case ‘indeed.com’.”
  • [T1539] Steal Web Session Cookie – The attacker intercepts requests/responses via the reverse proxy and is able to steal the session cookies to impersonate victims and bypass MFA. Quote: “The attacker intercepts the legitimate server’s requests & responses” and “The attacker is able to steal the session cookies.”

Indicators of Compromise

  • [Domains] – lmo[.]roxylvfuco[.]com[.]au, lmo[.]bartmfil[.]com, lmo[.]triperlid[.]com, and 7 more items
  • [IPs] – 199.204.248.121, 193.239.85.29, and 5 more IPs

Read more: https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint