Rewterz Threat Alert – Microsoft Users Targeted by EvilProxy Phishing Kit Exploiting Indeed.com Vulnerability – Active IOCs

Severity

High

Analysis Summary

A newly discovered phishing campaign has set its sights on the Microsoft 365 accounts of important executives within U.S.-centered organizations. This malicious campaign abuses open redirects originating from the Indeed employment website, which is typically used for job listings. This campaign is facilitated by the use of the EvilProxy phishing service, which is adept at collecting session cookies that can be used to bypass multi-factor authentication systems. The primary targets of this campaign are high-level executives across various industries, including banking, manufacturing, real estate, finance, insurance, and property management. 

The redirection links they use are legitimate URLs that take the victim to a third-party site automatically. Open redirects are flaws within the website code that allow making redirections to arbitrary locations, which malicious users can leverage to direct the victim to a phishing page. Since the link is from a trusted party, it is easily able to bypass security and be promoted on search results. 

In this particular campaign, the attackers leverage an open redirect on indeed.com, a popular job listing website. Victims receive emails containing links from indeed.com that appear completely legitimate. However, when clicked, these links redirect users to a phishing site that displays a counterfeit Microsoft login page.

EvilProxy is a phishing-as-a-service platform used by several threat actors. It employs reverse proxies to facilitate communication and the exchange of user information between the target and the legitimate online service, such as Microsoft in this case. When users attempt to access their accounts via the phishing server, which mimics the genuine login page, hackers can steal authentication cookies. Since users have already completed multi-factor authentication during their login attempts, the acquired cookies provide threat actors with full access to the compromised accounts. 

The researchers have discovered several artifacts in order to make the connection to EvilProxy more viable. In August 2023, some other researchers also warned of another EvilProxy campaign where about 120,000 phishing emails were sent out to hundreds of organizations to target their employees’ Microsoft 365 accounts.

“There is a high probability that we can see a surge in the usage of ‘EvilProxy’. Firstly, it is easy to use with a simple interface with tutorials and documentation easily available on the dark web. The ability to circumvent MFA makes this a powerful tool in the arsenal for cybercriminals”, they conclude.

Impact

• Security Bypass
• Credential Phishing
• Bypassing Multi-Factor Authentication (MFA)
• Reputation Damage

Indicators of Compromise

Domain

• lmo.roxylvfuco.com.au
• lmo.bartmfil.com
• lmo.triperlid.com
• roxylvfuco.com.au
• earthscigrovp.com.au
• mscr.earthscigrovp.com.au
• vfuco.com.au
• catalogsumut.com
• ivonnesart.com
• sheridanwyolibrary.org

IP

• 199.204.248.121
• 193.239.85.29
• 206.189.190.128
• 116.90.49.27
• 85.187.128.19

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Emphasize the importance of verifying the legitimacy of emails, even if they appear to come from trusted sources.
• Implement advanced email filtering solutions that can detect and block phishing emails before they reach users’ inboxes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications up to date with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Deploy security information and event management (SIEM) solutions to centralize log analysis.
• Keep web browsers and browser extensions up to date to mitigate potential vulnerabilities that threat actors might exploit.
• Review and secure website code to prevent open redirect vulnerabilities. Ensure that user input is properly sanitized and validated to prevent abuse of redirection mechanisms.
• Implement robust multi-factor authentication (MFA) solutions, such as FIDO-based authentication to enhance account security.
• Verify the legitimacy of both source and target URLs instead of assuming their safety, and consider using session isolation solutions to protect against real-time zero-hour phishing attacks.