A new phishing campaign is targeting Microsoft 365 accounts using a phishing-as-a-service platform called EvilProxy. The campaign has been observed targeting over 100 organizations and has successfully compromised accounts belonging to top-level executives.
EvilProxy is a reverse proxy phishing kit that allows attackers to steal authentication cookies from users who log into legitimate websites. This allows attackers to bypass multi-factor authentication (MFA) and gain full access to the victim’s account.
The EvilProxy phishing campaign is using a variety of techniques to evade detection, including:
- Brand impersonation: The emails are sent from domains that are designed to look like they are from legitimate companies, such as Adobe, DocuSign, and Concur.
- Open redirection: The emails contain links that redirect users to legitimate websites first, and then to the phishing page. This makes it more difficult for security solutions to detect the phishing page.
- Evasive bot detection: The phishing page is designed to evade detection by botnets.
Business organizations can take steps to protect themselves from the EvilProxy phishing campaign by:
- Educating employees about phishing scams. Employees should be aware of the common techniques used by phishers, and they should be hesitant to click on links or open attachments in emails from unknown senders.
- Using a security solution that can detect and block phishing emails.
- Enabling MFA for Microsoft 365 accounts. MFA adds an additional layer of security that can help to protect accounts from being compromised, even if the user’s password is stolen.
If you receive an email that you think might be a phishing scam, do not click on any links or open any attachments. Instead, forward the email to the Providence IT Team for further investigation.
Here are some additional tips for spotting phishing emails:
- The email is from an unfamiliar sender.
- The email has a generic subject line.
- The email contains grammatical errors or typos.
- The email asks for personal information, such as your password or credit card number.
- The email is urgent or threatening.
- The email contains a link that redirects to a website that looks like the real website, but has a different URL.
If you are unsure whether an email is legitimate, it is always best to err on the side of caution and not click on any links or open any attachments.