Cybercriminals are increasingly using a phishing-as-a-service (PhaaS) toolkit — EvilProxy — to pull off account takeover attacks aimed at high-ranking executives at major companies.
According to cybersecurity company Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 1,20,000 phishing emails to hundreds of targeted organisations across the globe between March and June 2023.
Over the last six months, the researchers have observed a surge of over 100 per cent in successful cloud account takeover incidents impacting high-level executives at leading companies.
During the phishing stage of the attack, attackers employed several noteworthy techniques, such as — brand impersonation, scan blocking, and a multi-step infection chain.
“Attackers use new advanced automation to accurately determine in real-time whether a phished user is a high-level profile, and immediately obtain access to the account, while ignoring less lucrative phished profiles,” the researchers said.
Moreover, the report said that more than 100 organisations were targeted globally, collectively representing 1.5 million employees.
Among the hundreds of compromised users, about 39 per cent were C-level executives of which 17 per cent were Chief Financial Officers (CFO), and 9 per cent were Presidents and CEOs.
Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information. At least 35 per cent of all compromised users had additional account protections enabled.
Further, the report mentioned that the campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, evoking threat actors to grow their tactics to bypass new security layers by incorporating adversary-in-the-middle (AitM) phishing kits to siphon credentials, session cookies, and one-time passwords.
Cybersecurity firm Resecurity first reported on EvilProxy in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.