A recent phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by exploiting open redirects from the job listings website Indeed.
The threat actor is using the EvilProxy phishing service to collect session cookies, which can bypass multi-factor authentication (MFA). Open redirects are weaknesses in website code that allow redirecting to arbitrary locations, and in this case, threat actors leverage an open redirect on indeed.com. Targets receive emails with seemingly legitimate indeed.com links that lead to a phishing site acting as a reverse proxy for Microsoft's login page.
By accessing their accounts through this phishing server, the threat actor can capture authentication cookies, granting them full access to the victim's account.
The chart below depicts the various sectors targeted by the campaign.
EvilProxy, a phishing-as-a-service platform, uses reverse proxies to facilitate communication and relay user details between the target and Microsoft's genuine online service.
Attack stages Source: Proofpoint
This phishing campaign is particularly effective because the email links come from a trusted source, enabling them to bypass email security measures and potentially appear in search results without raising suspicion. The acquired cookies allow cybercriminals to exploit the fact that users have already completed the required MFA steps during login, giving them unauthorized access to the victim's account.
Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign.
Relevance
Phishing Attack
Recommendations
Advanced user awareness training
Stricter email filtering rules
Adopting FIDO-based physical keys
Incident Response
Isolate any infected systems and quarantine the system.
Notify relevant parties according to your Incident Response Plan
Reach out to cybersecurity professionals to help contain the attack, analyze the risk, and devise a recovery plan.
References
1. EvilProxy uses indeed.com open redirect for Microsoft 365 phishing. (2023, October 3). BleepingComputer. https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/?utm_source=dlvr.it&utm_medium=linkedin
How can CyberForce|Q services help you address this risk?
When partnering with CyberForce|Q, our cybersecurity experts can assist with writing and implementing a patch management system for your organization. Also, our Incident Response team can work with you to help develop, implement, and test your incident response plan. Customized Tabletop exercises are encouraged for all organizations. Our cutting-edge Security Operations Center is purpose-bult to tackle the challenge of monitoring your systems 24x7x265. By leveraging our services, we can help minimize the risk associated with an IT Infrastructure Security risk with measurable results.
Learn more about CyberForce|Q.
Learn more about our Q|FRAME Assessment Services.
Comments