Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
EvilProxy uses indeed.com open redirect for Microsoft 365 phishing
Message
<blockquote data-quote="Jakesu" data-source="post: 35" data-attributes="member: 7"><p><a href="https://www.bleepstatic.com/content/hl-images/2022/07/22/Microsoft_365.jpg" target="_blank"><img src="https://www.bleepstatic.com/content/hl-images/2022/07/22/Microsoft_365.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><p>A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings.</p><p></p><p>The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.</p><p></p><p>Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/targets.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/targets.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Campaign targets</td></tr></table><p>Redirects are legitimate URLs that take visitors automatically to another online location, typically a third-party website.</p><p></p><p>Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/example.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/example.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Open redirect example</td></tr></table><p>Because the link comes from a trustworthy party, it can bypass email security measures or be promoted on search results without raising suspicion.</p><p></p><p>In the campaign that Menlo Security discovered, threat actors leverage an open redirect on indeed.com, the American site for job listings.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/chain.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Redirect chain</td></tr></table><p>The targets receive emails with an indeed.com link that looks legitimate. When accessed, the URL takes the user to a phishing site acting as a reverse proxy for Microsoft’s login page.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/phishing-page.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/phishing-page.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Phishing page used in the campaign</td></tr></table><p>EvilProxy is a phishing-as-a-service platform that uses reverse proxies to facilitate communication and relay user details between the target and the genuine online service, Microsoft in this case.</p><p></p><p>When the user accesses their account via this phishing server, which mimics the authentic login page, the threat actor can capture the authentication cookies.</p><p></p><p>Because users have already completed the required MFA (multi-factor authentication) steps during login, the acquired cookies give cybercriminals full access to the victim account.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/attack-overview.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/attack-overview.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Overview of the attack</td></tr></table><p>Menlo has recovered several artifacts from the attack that make attribution to EvilProxy more confident, such as:</p><ul> <li data-xf-list-type="ul">Nginx server hosting</li> <li data-xf-list-type="ul">Specific URI paths previously linked to the service</li> <li data-xf-list-type="ul">Requirement for proxy authentication</li> <li data-xf-list-type="ul">Presence of 444 status code in the server response</li> <li data-xf-list-type="ul">Presence of IDS signatures designed for recognizing EvliProxy uri content</li> <li data-xf-list-type="ul">Usage of FingerprintJS library for browser fingerprinting</li> <li data-xf-list-type="ul">Usage of specific POST requests that contain victim emails in base64-encoded form</li> </ul><p>In August 2023, Proofpoint warned of another EvilProxy campaign, which distributed approximately 120,000 phishing emails to hundreds of organizations, targeting their employees’ Microsoft 365 accounts.</p><p></p><p>Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 35, member: 7"] [URL='https://www.bleepstatic.com/content/hl-images/2022/07/22/Microsoft_365.jpg'][IMG]https://www.bleepstatic.com/content/hl-images/2022/07/22/Microsoft_365.jpg[/IMG][/URL] A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms. Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management. [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/targets.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/targets.png[/IMG][/URL] [TABLE] [TR] [TD]Campaign targets[/TD] [/TR] [/TABLE] Redirects are legitimate URLs that take visitors automatically to another online location, typically a third-party website. Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page. [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/example.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/example.png[/IMG][/URL] [TABLE] [TR] [TD]Open redirect example[/TD] [/TR] [/TABLE] Because the link comes from a trustworthy party, it can bypass email security measures or be promoted on search results without raising suspicion. In the campaign that Menlo Security discovered, threat actors leverage an open redirect on indeed.com, the American site for job listings. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/chain.png[/IMG] [TABLE] [TR] [TD]Redirect chain[/TD] [/TR] [/TABLE] The targets receive emails with an indeed.com link that looks legitimate. When accessed, the URL takes the user to a phishing site acting as a reverse proxy for Microsoft’s login page. [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/phishing-page.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/phishing-page.png[/IMG][/URL] [TABLE] [TR] [TD]Phishing page used in the campaign[/TD] [/TR] [/TABLE] EvilProxy is a phishing-as-a-service platform that uses reverse proxies to facilitate communication and relay user details between the target and the genuine online service, Microsoft in this case. When the user accesses their account via this phishing server, which mimics the authentic login page, the threat actor can capture the authentication cookies. Because users have already completed the required MFA (multi-factor authentication) steps during login, the acquired cookies give cybercriminals full access to the victim account. [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/attack-overview.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/Phishing/20/attack-overview.png[/IMG][/URL] [TABLE] [TR] [TD]Overview of the attack[/TD] [/TR] [/TABLE] Menlo has recovered several artifacts from the attack that make attribution to EvilProxy more confident, such as: [LIST] [*]Nginx server hosting [*]Specific URI paths previously linked to the service [*]Requirement for proxy authentication [*]Presence of 444 status code in the server response [*]Presence of IDS signatures designed for recognizing EvliProxy uri content [*]Usage of FingerprintJS library for browser fingerprinting [*]Usage of specific POST requests that contain victim emails in base64-encoded form [/LIST] In August 2023, Proofpoint warned of another EvilProxy campaign, which distributed approximately 120,000 phishing emails to hundreds of organizations, targeting their employees’ Microsoft 365 accounts. Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
EvilProxy uses indeed.com open redirect for Microsoft 365 phishing
Top