- Thread Author
- #1
You do not have permission to view link
Log in or register now.
A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings.
The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.
Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management.
You do not have permission to view link
Log in or register now.
Campaign targets |
Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page.
You do not have permission to view link
Log in or register now.
Open redirect example |
In the campaign that Menlo Security discovered, threat actors leverage an open redirect on indeed.com, the American site for job listings.
Redirect chain |
You do not have permission to view link
Log in or register now.
Phishing page used in the campaign |
When the user accesses their account via this phishing server, which mimics the authentic login page, the threat actor can capture the authentication cookies.
Because users have already completed the required MFA (multi-factor authentication) steps during login, the acquired cookies give cybercriminals full access to the victim account.
You do not have permission to view link
Log in or register now.
Overview of the attack |
- Nginx server hosting
- Specific URI paths previously linked to the service
- Requirement for proxy authentication
- Presence of 444 status code in the server response
- Presence of IDS signatures designed for recognizing EvliProxy uri content
- Usage of FingerprintJS library for browser fingerprinting
- Usage of specific POST requests that contain victim emails in base64-encoded form
Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign.