Hundreds of executives are falling for Microsoft 365 phishing attacks: Report

Threat actors are having recent success defeating multifactor authentication-protected Microsoft 365 cloud accounts using the EvilProxy phishing kit, say researchers at Proofpoint.

Since early March, they’ve seen an ongoing hybrid campaign using EvilProxy to target thousands of Microsoft 365 user accounts, particularly those of C-level and senior executives of major companies. In fact, the attackers ignore the successful compromise of accounts of persons they deem of lower value unless they have access to financial or sensitive corporate information.

Among the hundreds of compromised users, Proofpoint says, approximately 39 per cent were C-level executives, of whom 17 per cent were chief financial officers, and nine per cent were presidents and CEOs.

Once a targeted user has provided their credentials, attackers were able to log into their Microsoft 365 account within seconds, say the researchers, suggesting a streamlined and automated process.

“This campaign’s overall spread is impressive, with approximately 120,000 phishing emails sent to hundreds of targeted organizations across the globe between March and June,” the researchers said in a blog this week.

During the phishing stage the attackers use the following techniques:

    • Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe.
    • Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages.
    • Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps such as malicious cookies and 404 redirects.

Initially, phishing messages impersonated known trusted services, such as the business expense management system Concur, DocuSign and Adobe. Using spoofed email addresses, these emails contained links to malicious Microsoft 365 phishing websites. Eventually, after several redirection transitions, the user is sent to an EvilProxy phishing framework. The landing page functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers. If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate.

In the next waves of this campaign, in order to prevent detection by security solutions and to entice the user to click the links, attackers employ redirect links on reputable websites such as YouTube and SlickDeals.

Once attackers accessed a victim’s account, they cemented their foothold within the impacted organization’s cloud environment, often by leveraging a native Microsoft 365 application to execute MFA manipulation. They do it by adding their own multi-factor authentication method.

Proofpoint says IT and infosec pros need to take a number of steps to block this kind of attack, including effective business email compromise prevention solutions. In addition, they need to have solutions or processes to identify account takeover and unauthorized access to sensitive resources. In some cases, certain staff should be required to have FIDO-based physical security keys to protect login access. And employee security awareness training needs to be beefed up.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs