Phishing-as-a-Service Scam Allows Criminals to Bypass Multi-Factor Authentication

This past September, cybersecurity researchers discovered a toolkit for sale on the dark web that allows criminal hackers to bypass multi-factor authentication (MFA) mechanisms and break into organizations’ systems. Phishing-as-a-Service platform Robin Banks is providing a cookie-stealing feature that cybercriminals can purchase as an add-on to the phishing kit. 

Cyber criminals are constantly finding new ways to bypass security measures and steal sensitive information. One such method is using phishing-as-a-service platforms, which offer a multi-factor authentication (MFA) bypass for just $1,500.

Research has found that the phishing kit is called EvilProxy and is now available for $1,500 per month. This article will discuss what is Phishingas a Service, the threat of EvilProxy, how to protect your business, and what to do in case of an attack.

What is Phishing as a Service (PaaS)

Phishing as a Service (PaaS) is a type of cybercrime service that allows individuals or organizations to carry out phishing attacks without having to have the technical knowledge or resources required to carry out the attacks themselves. In a PaaS model, customers can purchase access to phishing tools, templates, and support services, which are provided by a third-party service provider. The goal of a PaaS is typically to steal sensitive information, such as login credentials or financial data, by tricking victims into revealing it through a phishing email or website. PaaS makes phishing more accessible and can lead to an increase in the number and sophistication of phishing attacks. 

What is EvilProxy and How Does it Work?

EvilProxy is a type of malicious software that acts as a proxy server. It is used to intercept and redirect internet traffic to carry out various malicious activities, such as stealing sensitive information, distributing malware, or bypassing security measures.

EvilProxy can be installed on a device without the user's knowledge and can be used to monitor and manipulate the victim's internet activity. The proxy server can also be used to redirect the victim to a fake website, which is designed to trick them into revealing sensitive information, such as login credentials or financial information.

Phishing-as-a-Service (PaaS) uses a software-as-a-service business model providing access to a phishing kit in exchange for a fee. Cybercriminals are service providers, selling access to the tools and knowledge necessary to carry out a phishing attack. Organizations that fail to fine-tune existing defenses face the risk of falling victim to this new Business Email Compromise (BEC) attack. This attack is particularly dangerous because:

  • EvilProxy bypasses most forms of MFA, which many organizations rely on as their primary defense against account compromise
  • Current campaigns are using previously compromised accounts to send out further phishing emails, which means recipients are receiving convincing phishing emails from people they trust
  • Phishing landing pages are more convincing than ever
  • Certain industries and sectors are being heavily targeted – legal, insurance, estate agents and financial services, though we expect this to expand over the coming weeks

At this point, the majority of EvilProxy attacks have not aimed to exfiltrate data or plant the seed for broader attacks, but instead conduct payment fraud. EvilProxy is a dangerous adversary-in-the-middle (AiTM) attack framework which is offered as a cheap, easy-to-use service on the dark web for other cyber criminals. 

Threat actors use the phishing service to draft targeted phishing emails including links to customized phishing websites. These sites are designed to look like legitimate sign-in pages for services such as Google Workspace and Microsoft 365.

a fish hook on computer keyboard representing phishing attack on computer systemThese phishing websites then redirect – or ‘proxy’ – traffic from the user to legitimate login sites. This allows the threat actor to compromise user credentials, and valid session cookies and effectively sit in the middle of the MFA process. Access to valid session cookies also allows them to continually log in to services such as Microsoft Exchange Online without the need to re-authenticate.

The discovery of EvilProxy came from a report that found that cybercriminals are combining phishing with AitM (adversary in the middle) techniques to bypass MFA. AitM is a relatively new type of phishing that borrows techniques from Man-in-the-Middle (MitM) attacks.

Using the EvilProxy phishing toolkit, attackers can send emails that imitate a legitimate DocuSign email that captures their credentials on a fraudulent Microsoft 365 login page. This is the same process as a traditional phishing scam, but the attack has a second layer, with the attackers deploying a proxy server that sits between the client and the real Microsoft server. This is what enables the attacker to bypass MFA. When the victim is asked to provide their additional credentials, it returns a valid session cookie, and the attacker uses the proxy server to take control of the victim’s session. With these permissions, the attacker can set up MFA on the account for themselves without the original user being alerted, enabling them to log into the account later to monitor emails and other activity.

How to Protect Your Business

Young women using computer, Cyber security concept.In the event of an EvilProxy phishing attack, alerts are closed automatically, and the user’s status will be marked as “not at risk” again.​ To combat this type of attack, you should consider the following protection measures:

  • Prohibit the use of obsolete protocols including ActiveSync which allows users to authenticate and manage their mailboxes by violating the MFA protection.​
  • Configure conditional access rules with defined locations. The access will be blocked when the request comes from a location that is not accepted.​
  • Integrate your devices into an endpoint management solution and authorize authentication only from compliant endpoints.
  • Use a FIDO security key as a second factor of authentication. If the domain name listed in the browser’s address bar does not match the expected domain used for the connection, the communication will be interrupted. Also, a FIDO security key never sends its credentials over the Internet.

User education can reduce the possibility of a successful phishing attack. Phishing protection requires a safeguarded environment that is built around the user. This can be achieved through a comprehensive, intuitive email security solution capable of identifying and blocking the most stealthy attack attempts in real-time.

To effectively safeguard business email accounts, a fully integrated email security solution that delivers total end-to-end control is critical. An effective solution must provide real-time protection against phishing and other advanced email threats, while continuously adapting to a changing business and security environment. Key features and functionalities of the ideal security strategy include:

  • Spoofing and impersonation protection
  • Malware and ransomware protection
  • Zero-day attack protection
  • Multi-layered design powered by open-source technology - the same technology that powers the Internet itself
  • Dynamic link and file analysis
  • Decision-making technique that uses relevant information, past results, and experiences that produces a practical solution in real-time, as humans feed the AI components with the most accurate info for it to work with
  • Works with clients to understand their requirements and build a protection plan for them specifically
  • SPF, DKIM and DMARC checking
  • End-to-end encryption
  • Comprehensive management and support services

In The Event of An Attack

Password Reset and Session Revoke

If your organization falls victim to an EvilProxy phishing attack, the first thing you should do is immediately reset the password for all compromised accounts. You should also revoke the users’ sessions in Microsoft 365 or whichever platform is affected, and across all devices. This will prevent the threat actor from reusing the hijacked session cookie to authenticate into the estate. 

Forensic Investigation

forensicsCompromised organizations should also conduct a more in-depth investigation of their platforms to assess the scope of the threat actor’s access. The investigation should focus on a review of sign-in logs to determine whether the threat actor successfully authenticated to the compromised user account from unrecognized IP addresses.

Previously, threat actors utilizing the EvilProxy toolkit have used multiple unknown IP addresses to continue accessing user accounts in the days following the initial compromise. Because of this,  organizations should look out for:

  • Unexpected changes to MFA configurations or recovery methods.
  • Suspicious inbox manipulation rules.
  • Creation of forwarding and redirecting rules.
  • Unfamiliar sign-in/authentication properties.
  • Email messages containing malicious files removed/deleted after delivery.
  • Emails from typo-squatted domains.
  • Evidence of stolen SessionIDs.
  • Abnormal activity from unusual IPs in the mail audit logs of compromised accounts. 

Malware Scan

There is no indication that the threat actors have been deploying malware as part of their campaigns, however, this may be a possibility. For good measure,  organizations should scan the affected user devices for malware and replace their machines if they have been compromised.

Communications Company Suffers Data Breach SMS Phishing Attack

twilio breach headlineTwilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs. The organization has more than 5,000 employees in 17 countries, and its revenues in 2021 were $2.84 billion.

In August of 2022, Twilio became aware of unauthorized access to information related to a limited number of customer accounts. The attack used a sophisticated social engineering tactic designed to steal employee credentials that unfortunately succeeded in deceiving some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some internal systems, where they were able to access certain customer data.

Employees received phishing messages impersonating the IT department. The content of the messages stated that their passwords had expired, or that their schedule had changed, and urged them to log in to a URL the attacker-controlled. The URLs in the messages included words like “Twilio,” “Okta,” and “SSO” in an attempt to trick users into clicking on a link redirecting them to a landing page that impersonated Twilio’s sign-in page. The company did not disclose the number of affected employees and customers but did revoke access to the compromised employee accounts.

Keep Learning

Bypassing MFA is no easy venture, so it is imperative that your organization is prepared in the event of an attack. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing, and ransomware.

Must Read Blog Posts

Latest Blog Articles

Recommended Reading