Threat actors have leveraged a phishing-as-a-service (PhaaS) tool called EvilProxy to target cloud-based Microsoft 365 accounts at more than 100 organizations representing 1.5 million employees, including high-level C-suite executives at leading companies.
In a blog post Aug. 9, Proofpoint researchers said threat actors used EvilProxy to steal credentials protected by multi-factor authentication (MFA) and session cookies. The researchers said over the last six months, they observed a surge of more than 100% in cloud account takeover incidents globally at the affected companies.
“Employee credentials are prized by threat actors — they can offer access to valuable or sensitive corporate information and user accounts,” said the Proofpoint researchers. “While stolen credentials offer a multitude of attack vectors for cybercriminals, not all credentials are created equal.’
The researchers said the EvilProxy threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, mainly in response to the growing adoption of MFA by many organizations. The attackers impersonate known trusted services such as DocuSign, Adobe and the business expense management system Concur. Emails claiming to be from these companies contained malicious URLs that initiated a multi-step infection chain. Once a targeted user provided their credentials, attackers could log into their Microsoft 365 account within seconds, indicating a streamlined and automated process.
Proofpoint’s researchers said that threat actors often target specific job functions or departments, and their methods and techniques must constantly evolve, such as finding ways to bypass MFA. Contrary to popular belief, not even MFA works as a silver bullet against sophisticated cloud-based threats. The researchers said malicious actors can hide undetected in an organization’s environment once they are inside the network, waging attacks such as email fraud, including business email compromise.
“PhaaS offerings such as EvilProxy, which feature MFA-bypass capabilities, are becoming more widely used, allowing even non-technical cyber criminals to spin up a phishing campaign and trick employees into handing over their account information,” said the Proofpoint researchers.
The C-Suite and senior executives are valuable targets for account takeover attacks because these executives are visible members of an organization, have access to sensitive information, and influence within their organizations, said Darren Guccione, co-founder and CEO at Keeper Security. Guccione said the number of these targeted attacks continues to increase in dramatic fashion, and their sophistication has also risen.
“With a growing number of organizations moving to cloud and multi-cloud environments, the attack surface has increased dramatically, as well,” Guccione said. “In the cloud, all it takes is one click for a bad actor to gain access to an entire organization. The simplest cybersecurity best practices, including the use of strong and unique passwords, eliminating the re-use of passwords, enforcing multi-factor authentication, and communicating clear guidelines on executive communication, can dramatically reduce these attacks."
Roy Akerman, co-founder and CEO at Rezonate, added that stealing credentials basically means the attackers are stealing identities and their privileges. With attackers adeptly sidestepping tools like MFA through advanced methods such as EvilProxy and Adversary-in-the-Middle phishing, many organizations are at risk, said Akerman.
“This serves as a stark reminder that in the cloud era, our cyber defense strategies must be ever-evolving,” said Akerman. “It's not merely about protecting credentials, but also about proactively preparing for their inevitable compromise. For the past decade, our efforts to protect credentials have felt like an endless loop of challenges. It’s evident that simple defense isn't enough: we must adopt a more forward-thinking approach, bearing in mind that credentials are bound to be misappropriated. We need to focus on context-aware authentication and dynamic, risk-based authorization."