Sharp increase in attacks on decision makers’ cloud accounts

the editorial team

24 August 2023

The number of successful cyberattacks taking over the cloud accounts of top executives has increased by more than 100 percent. Cybercriminals are using a phishing tool – EvilProxy – based on a reverse proxy that they use to steal MFA data and session cookies, according to research by Proofpoint.

More and more organizations are using multifactor authentication (MFA). But contrary to what you might expect, cybercriminals increasingly manage to take over cloud accounts. At least 35 percent of all compromised users in the past year used MFA. In doing so, attackers use sophisticated, automated tools to determine in real-time whether a user has an important function. They then use these tools to gain direct access to the account while ignoring less interesting profiles.

Since early March, Proofpoint researchers have been tracking an attack campaign using the phishing tool EvilProxy to attack thousands of Microsoft 365 accounts. The scale of this campaign is enormous. Between March and June 2023, about 120,000 phishing emails were sent to hundreds of organizations worldwide.

During the phishing phase of the attack, attackers used several techniques: brand forgery, with senders posing as well-known services and apps, such as Concur Solutions, DocuSign, and Adobe. They also used scan blocking, which protected against cybersecurity scanning bots, making it more difficult for security solutions to analyze malicious Web pages. They employed multiple steps in their attacks: redirecting traffic through legitimate websites, followed by additional steps, such as malicious cookies and 404 redirect links.

Attackers particularly targeted users in key positions, such as C-level executives and VPs at leading companies. Of the hundreds of victims, about 39 percent were C-level executives, including 17 percent CFO and 9 percent president or CEO.

After accessing an account, criminals attempted to solidify their position within the affected organization’s cloud environment. In several cases, attackers used a Microsoft 365 application to manipulate MFA further. By using “My Sign-Ins,” attackers were able to add their own MFA method, gaining permanent access to compromised user accounts.

Reverse proxy threats, and EvilProxy in particular, constitute a significant danger and are winning out over the less capable phishing kits of yesteryear, the researchers conclude. They have grown significantly in popularity and have exposed crucial holes in organizations’ defense strategies.