The phishing page, which masqueraded as a Microsoft 365 login page, was set up using EvilProxy, a phishing service that provides users with a simple GUI to run and manage their campaigns and does all the work in the background. EvilProxy functions as a reverse proxy, where the service is positioned between the user and the real login page, relaying requests and responses back and forth between them. From the victim’s perspective, it’s like they’re interacting with the real website, but the attacker gets to see everything that gets transmitted between the two parties, including the login credentials and MFA codes. EvilProxy claims to be able to bypass MFA on Apple, Gmail, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and other popular websites.
Tools like EvilProxy are part of a recent trend where phishing kits are provided as a service, making it easy for even low-skilled cybercriminals to set up a powerful phishing campaign. All they need is to choose some options on a point-and-click interface. “This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity,” the Proofpoint researchers said.
Post-compromise activity
The attackers behind the campaign observed by Proofpoint clearly prioritized VIP targets whose accounts were accessed in seconds after their credentials were compromised, while less interesting accounts were never actually accessed even if their owners fell for the phishing attack.
To set up persistent access to high-value accounts the attackers used a Microsoft 365 application called My Sign-Ins that allows users to manage their organizations and devices, and to view their authentication sessions. More importantly, the app also allows users to change their account security settings, including changing or adding MFA methods.
The attackers added their own authentication app with time-based one-time passwords — TOTP codes — in addition to the user’s Microsoft Authenticator, which uses push notifications to the mobile device. This allowed them to access the account later if the victim didn’t change their password.
“The attackers have been known to study their target organizations’ culture, hierarchy, and processes, to prepare their attacks and improve success rates,” the researchers said. “In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in hacking-as-a-service (HaaS) transactions, selling access to compromised user accounts.”