Email Security Intelligence - Phishing-as-a-Service Scam Allows Criminals to Bypass Multi-Factor Authentication

In September 2022, cybersecurity researchers discovered a toolkit for sale on the dark web that allows criminal hackers to bypass Multi-Factor Authentication (MFA) mechanisms and break into organizations’ systems. Phishing-as-a-Service platform Robin Banks is providing a cookie-stealing feature that cybercriminals can purchase as an add-on to phishing kits.

Research has found that the most popular phishing kit is EvilProxy, available for $1,500 monthly. This article will discuss the threat of EvilProxy, how to protect your business, and what to do in case of phishing email attacks.

What is EvilProxy and How Does it Work?

Phishing-as-a-Service (PaaS) uses a Software-as-a-Service business model to provide a fee for access to the phishing kit. Cybercriminals are service providers selling access to the cyber security tools and knowledge necessary for phishing email attacks. Organizations that fail to fine-tune existing defenses risk falling victim to this new Business Email Compromise (BEC) attack. These phishing attack types are particularly dangerous because:

  • EvilProxy bypasses most forms of MFA, which many organizations rely on as their primary defense against account takeovers and other indicators of compromise.
  • Current phishing campaigns are using previously compromised accounts to send out phishing email attacks, which means recipients are receiving convincing phishing messages from people they trust
  • Phishing landing pages are more convincing than ever.
  • Specific industries and sectors are being heavily targeted – legal, insurance, estate agents, and financial services, though we expect this to expand over the coming years.

At this point, most EvilProxy attacks have not aimed to exfiltrate data or plant the seed for broader attacks but instead conduct payment fraud. EvilProxy is a dangerous Adversary-in-The-Middle (AiTM) attack framework offered as a cheap, easy-to-use service on the dark web for other cybercriminals. 

Threat actors use the phishing service to draft targeted spear phishing emails, including links to customized phishing websites that look like legitimate sign-in pages for email security services such as Google Workspace and Microsoft 365. These phishing websites then redirect, or “proxy,” traffic from the user to legitimate login sites, which allows the threat actor to compromise user credentials and valid session cookies to sit in the middle of the MFA process effectively. Access to cookies will enable cybercriminals to continually log in to services such as Microsoft Exchange Online without the need to re-authenticate.

The discovery of EvilProxy came from a report that found that cybercriminals are combining phishing with AitM techniques to bypass MFA. AitM is a relatively new phishing attack that borrows techniques from Man-in-the-Middle (MitM) attacks.

Using the EvilProxy phishing toolkit, attackers can DocuSign email scams that imitate regular messages to capture their credentials on a fraudulent Microsoft 365 email login page. This is the same process as a traditional phishing scam. Still, the attack has a second layer where the attackers deploy a proxy server between the client and the real Microsoft server, enabling the attacker to bypass MFA. When the victim is asked to provide their additional credentials, it returns a valid session cookie, and the attacker uses the proxy server to take control of the victim’s session. With these permissions, the attacker can set up MFA on the account without the original user being alerted, enabling them to log into the bill later to monitor emails and other activity.

How Can I Protect My Business?

In the event of an EvilProxy phishing email attack, alerts are closed automatically, and the user’s status will be marked as “not at risk” again.​ To combat this type of phishing attack, you should consider the following email protection measures:

  • Prohibit obsolete protocols, including ActiveSync, which allow users to authenticate and manage their mailboxes by violating the MFA protection.​
  • Configure conditional access rules with defined locations so access will be blocked when the request comes from a location that is not accepted.​
  • Integrate your devices into an endpoint management solution and authorize authentication only from compliant endpoints.
  • Use a FIDO security key as a second factor of authentication. The communication will be interrupted if the domain name listed in the browser’s address bar does not match the expected domain used for the connection. Also, a FIDO security key never sends its credentials over the Internet.

Email security training and awareness can greatly reduce the possibility of a successful phishing email attack. Phishing protection requires a safeguarded environment that is built around the user. This can be achieved through a comprehensive cloud email security software solution that identifies and blocks the most stealthy attack attempts in real time.

A fully integrated email security server that delivers total end-to-end control is critical to safeguard business emails from account takeovers. A practical solution must provide real-time advanced email threat and phishing protection while continuously adapting to a changing business and email security environment. 

How Should I Proceed In The Event of An Attack?

Password Reset and Session Revoke

If your organization falls victim to an EvilProxy phishing email attack, the first thing you should do is immediately reset the password for all compromised accounts. You should also remove user permissions and servers in whichever platform is being impacted to prevent the threat actor from reusing the hijacked session cookie to authenticate themselves and breach the system. 

Forensic Investigation

Compromised organizations should also conduct a more in-depth investigation of their platforms to assess the threat actor’s access scope. The inquiry should focus on a review of sign-in logs to determine whether the threat actor successfully authenticated the compromised account from unrecognized IP addresses.

Previously, threat actors utilizing the EvilProxy toolkit have used multiple unknown IP addresses to continue accessing compromised email addresses in the days following the initial breach. Because of this, organizations should look out for:

  • Unexpected changes to MFA configurations or recovery methods.
  • Suspicious inbox manipulation rules.
  • Creation of forwarding and redirecting practices.
  • Unfamiliar sign-in/authentication properties.
  • Email messages containing malicious files are removed/deleted after delivery.
  • Emails from typo-squatted domains.
  • Evidence of stolen SessionIDs.
  • Abnormal activity from unusual IPs in the mail audit logs of compromised accounts. 

Malware Scan

There is no indication that the threat actors have been deploying malware in their phishing campaigns. Still, organizations should scan the affected user devices for malware and replace their machines if there are indicators of compromise on the system.

Communications Company Suffers Data Breach Due to SMS Phishing Attack

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs. The organization has over 5,000 employees in 17 countries, and its revenue in 2021 was $2.84 billion.

In August 2022, Twilio became aware of unauthorized access to information related to a limited number of customer accounts. The attack used a sophisticated social engineering tactic designed to steal employee credentials. Employees would provide their personal information, allowing attackers to break into internal systems to access customer data.

Employees received spear-phishing emails impersonating the IT department. The content of the messages stated that their passwords had expired or their schedule had changed, urging them to log in to a URL the attacker controlled. This phishing attack tricks users by creating URLs with words like “Twilio,” “Okta,” and “SSO” which make the site appear safe before redirecting recipients to a landing page that impersonates Twilio’s sign-in page. The company did not disclose the number of affected employees and customers but did revoke access to the compromised accounts.

Keep Learning About Phishing Protection

Bypassing MFA is no easy venture, so your organization must be prepared in the event of an attack. Implementing a comprehensive cloud email security software system can help with advanced threat protection against targeted spear phishing emails and malware ransomware.

Must Read Blog Posts

Latest Blog Articles