Phishing-as-a-Service Scam Allows Criminals to Bypass Multi-Factor Authentication

This past September, cybersecurity researchers discovered a toolkit for sale on the dark web that allows criminal hackers to bypass multi-factor authentication (MFA) mechanisms and break into organizations’ systems. Phishing-as-a-Service platform Robin Banks is providing a cookie-stealing feature that cybercriminals can purchase as an add-on to the phishing kit.

Research has found that the phishing kit is called EvilProxy and is now available for $1,500 monthly. This article will discuss the threat of EvilProxy, how to protect your business, and what to do in case of an attack.

What is EvilProxy and How Does it Work?

Phishing-as-a-service (PaaS) uses a software-as-a-service business model providing access to a phishing kit for a fee. Cybercriminals are service providers selling access to the tools and knowledge necessary for a phishing attack. Organizations that fail to fine-tune existing defenses risk falling victim to this new Business Email Compromise (BEC) attack. This attack is particularly dangerous because:

  • EvilProxy bypasses most forms of MFA, which many organizations rely on as their primary defense against account compromise.
  • Current campaigns are using previously compromised accounts to send out further phishing emails, which means recipients are receiving convincing phishing emails from people they trust
  • Phishing landing pages are more convincing than ever.
  • Specific industries and sectors are being heavily targeted – legal, insurance, estate agents, and financial services, though we expect this to expand over the coming weeks.

At this point, most EvilProxy attacks have not aimed to exfiltrate data or plant the seed for broader attacks but instead conduct payment fraud. EvilProxy is a dangerous adversary-in-the-middle (AiTM) attack framework offered as a cheap, easy-to-use service on the dark web for other cybercriminals. a fish hook on computer keyboard representing phishing attack on computer system

Threat actors use the phishing service to draft targeted emails, including links to customized phishing websites. These sites are designed to look like legitimate sign-in pages for services such as Google Workspace and Microsoft 365.

These phishing websites then redirect – or ‘proxy’ – traffic from the user to legitimate login sites. This allows the threat actor to compromise user credentials and valid session cookies and effectively sit in the middle of the MFA process. Access to valid session cookies will also enable them to continually log in to services such as Microsoft Exchange Online without the need to re-authenticate.

The discovery of EvilProxy came from a report that found that cybercriminals are combining phishing with AitM (adversary in the middle) techniques to bypass MFA. AitM is a relatively new type of phishing that borrows techniques from Man-in-the-Middle (MitM) attacks.

Using the EvilProxy phishing toolkit, attackers can send emails that imitate a legitimate DocuSign email that captures their credentials on a fraudulent Microsoft 365 login page. This is the same process as a traditional phishing scam, but the attack has a second layer, with the attackers deploying a proxy server between the client and the real Microsoft server. This is what enables the attacker to bypass MFA. When the victim is asked to provide their additional credentials, it returns a valid session cookie, and the attacker uses the proxy server to take control of the victim’s session. With these permissions, the attacker can set up MFA on the account without the original user being alerted, enabling them to log into the bill later to monitor emails and other activity.

How Can I Protect My Business?

In the event of an EvilProxy phishing attack, alerts are closed automatically, and the user’s status will be marked as “not at risk” again.​ To combat this type of attack, you should consider the following protection measures:Young women using computer, Cyber security concept.

  • Prohibit obsolete protocols, including ActiveSync, which allows users to authenticate and manage their mailboxes by violating the MFA protection.​
  • Configure conditional access rules with defined locations. The access will be blocked when the request comes from a location that is not accepted.​
  • Integrate your devices into an endpoint management solution and authorize authentication only from compliant endpoints.
  • Use a FIDO security key as a second factor of authentication. The communication will be interrupted if the domain name listed in the browser’s address bar does not match the expected domain used for the connection. Also, a FIDO security key never sends its credentials over the Internet.

User education can reduce the possibility of a successful phishing attack. Phishing protection requires a safeguarded environment that is built around the user. This can be achieved through a comprehensive email security solution that identifies and blocks the most stealthy attack attempts in real-time.

A fully-integrated email security solution that delivers total end-to-end control is critical to safeguard business email accounts. A practical solution must provide real-time protection against phishing and other advanced email threats while continuously adapting to a changing business and security environment. 

How Should I Proceed In The Event of An Attack?

Password Reset and Session Revoke

If your organization falls victim to an EvilProxy phishing attack, the first thing you should do is immediately reset the password for all compromised accounts. You should also revoke the users’ sessions in Microsoft 365 or whichever platform is affected across all devices. This will prevent the threat actor from reusing the hijacked session cookie to authenticate into the estate.

Forensic Investigation


Compromised organizations should also conduct a more in-depth investigation of their platforms to assess the threat actor’s access scope. The inquiry should focus on a review of sign-in logs to determine whether the threat actor successfully authenticated to the compromised user account from unrecognized IP addresses.

Previously, threat actors utilizing the EvilProxy toolkit have used multiple unknown IP addresses to continue accessing user accounts in the days following the initial compromise. Because of this, organizations should look out for:

  • Unexpected changes to MFA configurations or recovery methods.
  • Suspicious inbox manipulation rules.
  • Creation of forwarding and redirecting practices.
  • Unfamiliar sign-in/authentication properties.
  • Email messages containing malicious files are removed/deleted after delivery.
  • Emails from typo-squatted domains.
  • Evidence of stolen SessionIDs.
  • Abnormal activity from unusual IPs in the mail audit logs of compromised accounts. 

Malware Scan

There is no indication that the threat actors have been deploying malware in their campaigns. However, this may be possible. Organizations should scan the affected user devices for malware and replace their machines if they have been compromised.

Communications Company Suffers Data Breach Due to SMS Phishing Attack

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs. The organization has over 5,000 employees in 17 countries, and its revenues in 2021 were $2.84 billion.

twilio breach headlineIn August of 2022, Twilio became aware of unauthorized access to information related to a limited number of customer accounts. The attack used a sophisticated social engineering tactic designed to steal employee credentials that unfortunately succeeded in deceiving some employees into providing their credentials. The attackers then used the stolen credentials to access some internal systems, where they could access specific customer data.

Employees received phishing messages impersonating the IT department. The content of the messages stated that their passwords had expired or that their schedule had changed and urged them to log in to a URL the attacker-controlled. The URLs in the messages included words like “Twilio,” “Okta,” and “SSO” in an attempt to trick users into clicking on a link, redirecting them to a landing page that impersonated Twilio’s sign-in page. The company did not disclose the number of affected employees and customers but did revoke access to the compromised employee accounts.

Keep Learning About Phishing Protection

Bypassing MFA is no easy venture, so your organization must be prepared in the event of an attack. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing and ransomware.

Must Read Blog Posts

Latest Blog Articles

Recommended Reading