Despite growing awareness of the threat from phishing emails and greater adoption of multifactor authentication (MFA), threat actors are still successfully compromising firms via phishing attacks and breaching MFA protections with phishing toolkits. To help bring greater awareness to this activity, Proofpoint recently published a blog detailing how network defenders can help mitigate this threat.
During a recent assessment, researchers at Proofpoint detected the use of the EvilProxy phishing toolkit where the existing email security program failed to detect the activity. EvilProxy is a reverse-proxy Phishing-as-a-Service (PaaS) toolkit which allows low-skill threat actors to steal user credentials and authentication tokens to bypass MFA. According to Proofpoint, the observed attack started with an email that appeared to be a legitimate DocuSign notice that was requesting a signature. When the victim clicked on the embedded URL, they were taken to their organization’s Microsoft login page. However, the attacker had a proxy set up so when the user entered the login information, EvilProxy captured their credentials and authentication session token, thus allowing the attacker to log in as the user including the bypassing of the MFA protections. To defend against this activity, members should consider implementing email security solutions that use machine learning algorithms. Read more at Proofpoint.