Hundreds of executives are falling for Microsoft 365 phishing attacks: Report

Share post:

Threat actors are having recent success defeating multifactor authentication-protected Microsoft 365 cloud accounts using the EvilProxy phishing kit, say researchers at Proofpoint.

Since early March, they’ve seen an ongoing hybrid campaign using EvilProxy to target thousands of Microsoft 365 user accounts, particularly those of C-level and senior executives of major companies. In fact, the attackers ignore the successful compromise of accounts of persons they deem of lower value unless they have access to financial or sensitive corporate information.

Among the hundreds of compromised users, Proofpoint says, approximately 39 per cent were C-level executives, of whom 17 per cent were chief financial officers, and nine per cent were presidents and CEOs.

Once a targeted user has provided their credentials, attackers were able to log into their Microsoft 365 account within seconds, say the researchers, suggesting a streamlined and automated process.

“This campaign’s overall spread is impressive, with approximately 120,000 phishing emails sent to hundreds of targeted organizations across the globe between March and June,” the researchers said in a blog this week.

During the phishing stage the attackers use the following techniques:

    • Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe.
    • Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages.
    • Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps such as malicious cookies and 404 redirects.

Initially, phishing messages impersonated known trusted services, such as the business expense management system Concur, DocuSign and Adobe. Using spoofed email addresses, these emails contained links to malicious Microsoft 365 phishing websites. Eventually, after several redirection transitions, the user is sent to an EvilProxy phishing framework. The landing page functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers. If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim – thus also validating the gathered credentials as legitimate.

In the next waves of this campaign, in order to prevent detection by security solutions and to entice the user to click the links, attackers employ redirect links on reputable websites such as YouTube and SlickDeals.

Once attackers accessed a victim’s account, they cemented their foothold within the impacted organization’s cloud environment, often by leveraging a native Microsoft 365 application to execute MFA manipulation. They do it by adding their own multi-factor authentication method.

Proofpoint says IT and infosec pros need to take a number of steps to block this kind of attack, including effective business email compromise prevention solutions. In addition, they need to have solutions or processes to identify account takeover and unauthorized access to sensitive resources. In some cases, certain staff should be required to have FIDO-based physical security keys to protect login access. And employee security awareness training needs to be beefed up.

The post Hundreds of executives are falling for Microsoft 365 phishing attacks: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways