Proofpoint researchers report a dramatic rise in cloud account takeovers targeting executives worldwide, with over 100 organizations affected and about 1.5 million employees impacted. The campaigns hinge on EvilProxy, a reverse-proxy phishing toolkit that can steal MFA-protected credentials and session cookies to enable rapid cloud account compromise.
Hashtags: #EvilProxy #PhaaS #DocuSign #AdobeSign #Concur #Microsoft365
Hashtags: #EvilProxy #PhaaS #DocuSign #AdobeSign #Concur #Microsoft365
Keypoints
- Cloud account takeover incidents surged by more than 100% over the last six months, targeting high-level executives at leading companies.
- More than 100 organizations globally were targeted, representing approximately 1.5 million employees.
- Attackers used EvilProxy, a reverse-proxy, Adversary-in-the-Middle phishing toolkit that can steal MFA-protected credentials and session cookies in real time.
- The threat combines MFA-bypass techniques with advanced account takeover methods, exploiting MFA adoption within organizations.
- Phishing-as-a-Service (PhaaS) enables even low-technical-ability actors to deploy pre-configured MFA-phishing kits for services like Gmail, Microsoft, and more.
- The attack flow involves spoofed emails linking to malicious Microsoft 365 phishing sites, multi-step redirections via legitimate redirectors, and a landing page that mimics branding to harvest credentials and MFA prompts.
MFA use has increased in organizations, yet Proofpoint notes that at least 35% of compromised users during the past year had MFA enabled.
Threat actors study target organizations to tailor attacks, and the campaign includes persistence, lateral movement, data exfiltration, and monetization through HaaS or selling access.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β Attack emails purporting to be from DocuSign, Adobe Sign and Concur contained malicious URLs that initiated a multi-step infection chain. [βEmails purporting to be from DocuSign, Adobe Sign and Concur contained malicious URLs that initiated a multi-step infection chain:β]
- [T1539] Steal Web Session Cookie β The EvilProxy framework steals credentials and session cookies in real-time to facilitate authenticating as the victim. [βto steal credentials and session cookies in real-timeβ]
- [T1078] Valid Accounts β The final goal is to compromise and exploit valuable cloud user accounts, assets, and data. [βthe final goal is to compromise and exploit valuable cloud user accounts, assets, and data.β]
Indicators of Compromise
- [Domain] Malicious βStep 2β redirection domains β 01-net[.]com, 837[.]best, and 2 more domains
- [IP Address] Source IP addresses involved in EvilProxy Attack β 154.29.75.192, 185.241.52.78, and 2 more IPs
- [Spoofed email address] Spoofed sender addresses involved in EvilProxy campaigns β autonotification@concursolutions[.]com, [email protected][.]net, and 1 more