EvilProxy is once again on the rise.

The malware is one of the more popular phishing kits that is used to bypass multifactor authentication by stealing credentials. A new report by Proofpoint Inc. today illustrates its new rise in popularity and its focus on compromising Microsoft 365 accounts of C-level executives at major corporations. These kits are favored by criminals because they don’t require much in the way of skill or programming prowess, and because they get results.

From March through June, the researchers have seen a surge in EvilProxy-related phishing campaigns, with more than 120,000 infected emails sent, according to its own customer telemetry. These emails make use of brand impersonation, leveraging other third-party services such as DocuSign, Concur Solutions CRM and various Adobe Inc. products to trick users to click on the malware-laced links.

The campaigns incorporate a series of obfuscation techniques, such as encoding parts of the message and avoiding overt signs of VPN usage. They also used multiple steps to install the malware (below).

But the attackers made a significant typo in how they specified their complex redirection URLs, using “hhttps” instead of “https.” This made tracking their crafted phishing lures easier. Another tell is mentioned in the report that could indicate the attackers are based in Turkey or were intentionally avoiding targeting Turkish users.

“Even MFA is not a silver bullet against sophisticated threats and could be bypassed by various forms of combined email-to-cloud attacks,” the report said. “The attackers have been known to study their target organizations’ culture, hierarchy, and processes, to prepare their attacks and improve success rates.”

One solution is to adopt hardware-based security keys, such as from Yubico AB, to protect accounts, something that Discord has recently done for all of its employees. That link has lots of interesting details about how hard this was for Discord, why it chose this route after using less capable MFA methods previously, and how the deployment team won over various objections.

Images: Pixabay, Proofpoint