Researchers have warned of a new multi-factor authentication (MFA) phishing campaign targeting thousands of users, including a large share of C-suite executives.
The group behind it sent at least 120,000 phishing emails to hundreds of organizations across the globe between March and June this year, according to Proofpoint.
These emails typically impersonate legitimate trusted services and apps such as DocuSign and Adobe and utilize scan blocking to stay hidden from many security tools. Attackers also use a multi-step infection chain to avoid detection – redirecting users who click through via via open legitimate redirectors such as YouTube, malicious cookies and 404 redirects.
The campaign uses EvilProxy, a well-known phishing tool based on a reverse proxy architecture which is designed to harvest MFA-protected credentials and session cookies. It does this by intercepting the MFA request to a fake domain and grabbing the valid session cookie, which it uses to authenticate in the real domain, said Proofpoint.
Read more on EvilProxy: MFA Bypass Kits Account For One Million Monthly Messages
Although the threat group cast its net far and wide with this campaign, its main target appears to have been senior executives.
“These titleholders are especially valued by threat actors due to their potential access to sensitive data and financial assets. Once a targeted user has provided their credentials, attackers were able to log into their Microsoft 365 account within seconds, indicating a streamlined and automated process,” Proofpoint explained.
“Amongst the hundreds of compromised users, approximately 39% were C-level executives of which 17% were chief financial officers, and 9% were presidents and CEOs. Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information.”
Proofpoint claimed to have recorded a 100% increase in “cloud account takeover incidents” impacting high-level executives at leading companies over the past six months.
Once they gain access to executives’ Microsoft 365 accounts, the threat actors will look to establish persistence, then move laterally, potentially deploying additional malware.
“In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in hacking-as-a-service (HaaS) transactions, and selling access to compromised user accounts,” Proofpoint concluded.