top of page

EvilProxy phishing campaign targets 120,000 Microsoft 365 users

EvilProxy, has quickly risen to become one of the most popular phishing as a service platforms used by cybercriminals to target Multi Factor Authentication protected businesses with researchers identifying 120,000 phishing emails sent to hundreds of organisations using Office 365. This research has been conducted by ProofPoint who warn that there has been a dramatic increase in cloud accounts being compromised by cybercriminals effecting primarily high-ranking executives. EvilProxy makes this possible by combining bot evasion, brand impersonation and open redirections in there platform.

EvilProxy uses reverse proxies to relay authentication requests and credentials between the victim and the legitimate service they are attempting to access. As the EvilProxy server proxies the legitimate login form, it has access to the authentication cookies once the user logins into their account. By stealing this authentication cookie, the attacker is able to access the account and bypass the multifactor Authentication

Proofpoint have created a graphic detailing the timeline of an EvilProxy phishing attack:

EvilProxy is sold to cybercriminals for 400$ on a monthly subscription model with claims that the platform is able to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts and is often seen impersonating Adobe, DocuSign, and Concur. If the victim clicks on the phishing link, they will be sent to multiple redirections that aim to avoid detection and analysis.

"In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email, and used legitimate websites that have been hacked, to upload their PHP code to decode the email address of a particular user," explains Proofpoint. "After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization."

Once the account has been compromised, an attacker will add their own MFA method, usually through an authentication app, to help establish persistence. Defending against this kind of attack is a challenge for organisations however the best way is to raise user awareness of phishing attacks so that they can better identify malicious links and emails as well as better email filtering rules and setting up FIDO physical keys as an MFA alternative.


bottom of page