EvilProxy, a new phishing tool which bypasses Multi-Factor Authentication (MFA), is causing a spike in Business Email Compromise (BEC) cases.
The Radius Incident Response team has recently observed a significant increase in the number of Business Email Compromise (‘BEC’) cases ending in attempted payment fraud.
Most of these cases appear to be linked to a global phishing campaign using a new tool – called EvilProxy – used to bypass most forms of multi-factor authentication (‘MFA’) and compromise user accounts.
The Threat of EvilProxy
There is a high risk that organisations will fall victim to this new BEC attack method if existing defences are not fine-tuned:
- EvilProxy bypasses most forms of MFA, which many organisations rely on as their primary defence against account compromise
- Current campaigns are using previously compromised accounts to send out further phishing emails, which means recipients are receiving convincing phishing emails from people they trust
- Phishing landing pages are more convincing than ever
- Certain industries and sectors are being heavily targeted – legal, insurance, estate agents and financial services, though we expect this to expand over the coming weeks
So far, the majority of attacks using EvilProxy have all had the end goal of payment fraud (rather than data exfiltration or as a starting point for broader attacks).
While this is a trend that we expect to continue in the short term, the Radius team are monitoring campaigns closely for any changes in behaviour.
How Does It Work?
EvilProxy is a powerful adversary-in-the-middle (AiTM) attack framework which is being offered as a cheap, easy to use service on the dark web amongst cybercriminals.
Threat actors are using this phishing service to craft targeted phishing emails that include links to customised phishing websites, which are designed to look like legitimate sign-in pages for services like Google Workspace and Microsoft 365.
These phishing websites then redirect – or ‘proxy’ – traffic from the user to legitimate login sites, allowing the threat actor to intercept user credentials, valid session cookies and effectively sit in the middle of the MFA process.
Access to valid session cookies also allows them to continually log in to services such as Microsoft Exchange Online without the need to re-authenticate.
For a better understanding of how EvilProxy is being used to steal credentials, bypass MFA, and hijack valid session cookies, refer to the image below.
This proxy attack framework is not a new technique: sophisticated threat actors have previously used tools such as Modlishka, Necrobrowser, and Evilginx to bypass MFA protections since as early as 2018.
However, EvilProxy differs from these earlier frameworks, as it is much easier to set up, provides a wealth of in-depth training and instructional videos, has a user-friendly GUI, and offers a much wider library of fake phishing websites for well-known platforms such as Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, Twitter, Yahoo, and Yandex.
It is anticipated that demand for these user-friendly reverse proxy tools to continue to grow as multi-factor authentication becomes more widely adopted.
How to Defend your Organisation Against EvilProxy
In order to defend against AiTM attacks, organisations must complement their traditional MFA protections with a variety of different security measures.
However, it is important to note that none of the current solutions is a silver bullet, and this proxy could continue to pose a significant threat even after implementing the mitigations below.
Conditional Access Policies and Alternative MFA Methods
The best ways to defend against EvilProxy attacks are as follows:
- Implementing conditional access through your Microsoft Office Licence (you may need to upgrade your current licence to avail of the option) for your email to limit access to specific devices, locations
- Configuring Microsoft Intune compliance to deny access to untrusted devices (or configuring such a policy in an equivalent mobile device management platform)
- Password-less authentication methods such as Windows Hello for Business – However your organisation needs end-user devices to have biometric support (Face recognition, fingerprint or Iris recognition)
- Using hardware token MFA methods (FIDO2 security keys) (also requires biometric support on the end user devices)
An additional robust defence is to limit connectivity to trusted IP ranges and geographic locations. However, geo-blocking of IPs can be easy to bypass by threat actors using VPN services and may not be appropriate for a globally dispersed workforce.
While one of the most reliable protective methods, trusted device policies can represent a complex and extensive undertaking, which large organisations with thousands of legitimate endpoints may struggle to implement in a short timeframe.
Email Security Software
Organisations should also invest in advanced software solutions that monitor and scan incoming emails for malicious websites, including those used in EvilProxy phishing campaigns.
These solutions rarely catch everything, as they rely on reputational threat intelligence and behavioural analysis to generate alerts.
As this phishing technique is known to use a wide variety of different domains and IPs to help customers launch their phishing attacks, it is highly likely that these solutions will occasionally fail to recognise and block a malicious link.
Phishing Awareness Campaigns
As always, it is important for organisations to run regular phishing awareness campaigns to increase the likelihood that employees spot malicious links before opening them and know how to report them to the security team.
Experience shows these awareness campaigns are rarely 100% effective – this is particularly true when the phishing emails in question are sophisticated and almost identical to those being sent by legitimate services. However, strong awareness and training is a critical frontline defence.
What Should You Do Following an Attack?
Password Reset and Session Revoke
Should your organisation fall victim to an EvilProxy phishing attack, we recommend immediately enforcing password resets for all compromised accounts.
We also recommend revoking the users’ sessions in Microsoft 365 or whichever platform is affected, and across all devices.
This will prevent the threat actor from reusing the hijacked session cookie to authenticate into the estate.
However, we note that in Microsoft 365, access tokens cannot currently be revoked, so a threat actor may still have access to the Microsoft 365 account for the remaining duration of the token’s lifetime (this can be configured locally with a range of between 1 hour and 1 day).
In addition to enforcing password resets, we recommend that compromised organisations conduct a more in-depth investigation of their platforms to assess the scope of the threat actor’s access.
The investigation should first focus on a review of sign-in logs to determine whether the threat actor successfully authenticated to the compromised user account from unrecognised IP addresses.
In our experience, threat actors utilising the EvilProxy toolkit have used multiple unknown IP addresses to continue accessing user accounts in the days following the initial compromise.
In addition, we recommend that organisations look out for:
- Unexpected changes to MFA configurations or recovery methods
- Suspicious inbox manipulation rules
- Creation of forwarding and redirecting rules
- Unfamiliar sign-in/authentication properties
- Email messages containing malicious files removed/deleted after delivery
- Emails from typo-squatted domains
- Evidence of stolen SessionIDs
- Abnormal activity from unusual IPs in the mail audit logs of compromised accounts
While there is no indication that the threat actors behind these attacks have been delivering malware as part of their campaigns, this may remain a possibility.
Out of an abundance of caution, we recommend that organisations scan the affected user devices for malware and replace their machines should that be deemed necessary.
For more information on EvilProxy and how it happens, please see:
EvilProxy: An Example of How it Happens
At Radius, we have a vast knowledge of phishing and the threat it poses to businesses, and our team is monitoring this latest threat very closely.
If you think your organisation is at risk of falling foul to EvilProxy or would like to know more about it, contact our team today.