EvilProxy uses indeed.com open redirect for Microsoft 365 phishing

[Jakesu]

You do not have permission to view link Log in or register now.

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings.

The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management.

You do not have permission to view link Log in or register now.

Campaign targets

Redirects are legitimate URLs that take visitors automatically to another online location, typically a third-party website.

Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page.

You do not have permission to view link Log in or register now.

Open redirect example

Because the link comes from a trustworthy party, it can bypass email security measures or be promoted on search results without raising suspicion.

In the campaign that Menlo Security discovered, threat actors leverage an open redirect on indeed.com, the American site for job listings.

Redirect chain

The targets receive emails with an indeed.com link that looks legitimate. When accessed, the URL takes the user to a phishing site acting as a reverse proxy for Microsoft’s login page.

You do not have permission to view link Log in or register now.

Phishing page used in the campaign

EvilProxy is a phishing-as-a-service platform that uses reverse proxies to facilitate communication and relay user details between the target and the genuine online service, Microsoft in this case.

When the user accesses their account via this phishing server, which mimics the authentic login page, the threat actor can capture the authentication cookies.

Because users have already completed the required MFA (multi-factor authentication) steps during login, the acquired cookies give cybercriminals full access to the victim account.

You do not have permission to view link Log in or register now.

Overview of the attack

Menlo has recovered several artifacts from the attack that make attribution to EvilProxy more confident, such as:

• Nginx server hosting
• Specific URI paths previously linked to the service
• Requirement for proxy authentication
• Presence of 444 status code in the server response
• Presence of IDS signatures designed for recognizing EvliProxy uri content
• Usage of FingerprintJS library for browser fingerprinting
• Usage of specific POST requests that contain victim emails in base64-encoded form

In August 2023, Proofpoint warned of another EvilProxy campaign, which distributed approximately 120,000 phishing emails to hundreds of organizations, targeting their employees’ Microsoft 365 accounts.

Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign.