Phishing Malware EvilProxy Targets MFA-Protected High-Level Executive Accounts

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A popular phishing tool among threat actors, EvilProxy is being used to bypass MFA (multi-factor authentication) protected Microsoft 365 user accounts. The campaign, which was active between March and June 2023, saw around 120,000 phishing emails sent to 1.5 million employees in over 100 organizations globally.

Use of this reverse proxy architecture-based malware has seen a huge uptick of successful cloud account takeover incidents impacting high-level executives over the said period, observed researchers at Proofpoint .

Few of the noteworthy techniques employed by the attackers in this campaign include brand impersonation, multi-step infection chain, and protection against scanning bots.

In this campaign, the popular phishing-as-a-service tool (PhaaS) was used to send spoofed emails impersonating trusted brands like Concur Solutions, DocuSign, and Adobe.

As soon as the receiver clicks on the malicious URL, they are redirected through open redirections like YouTube, followed by several redirections involving malicious cookies and 404 redirects. These steps are employed with the aim to lower the chances of discovery.

Eventually, the target lands on the EvilProxy phishing page which according to the researchers ‘’functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers.’’

Proofpoint observed that special coding of the user email and hacked legitimate sites were employed by the attackers to evade automatic scanning tools and for uploading their PHP codes to decode the email address of a particular target. Once detected, the target was directed to the actual phishing page, tailor-made for the victim’s organization.

Some of the peculiarities noted in this campaign included a form of ‘safe listing’ where user traffic originating from Turkey was redirected to the safe legitimate site. This made the researchers believe that either the attackers were based out of Turkey or were intentionally avoiding Turkish users. Many VPNs worldwide were also blocked from accessing these phishing sites.

The research also revealed the campaign’s selective target approach, with priority given to ‘’VIP’’ targets. The compromised targets included 39% C-level executives of which 17% were chief financial officers, 9% were CEOs, and the rest were employees that had access to sensitive information and financial data.

On multiple occasions it was observed that the threat actors utilized the My Sign-In feature of compromised Microsoft 365 accounts to establish persistence.

In September 2022, Resecurity had discovered EvilProxy on the dark web, a new PhaaS available for $400 a month.

UK Electoral Commission Data Breach Exposes Millions of Registered Voters’ Data

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In a public notice , the UK Electoral Commission disclosed the hacking incident that comprised personal data of any individual who had registered to vote in the country between 2014 and 2022.

The incident came to light when a suspicious activity was detected on its systems in October 2022. Further investigation revealed that the perpetrators had first hacked into the servers in August 2021. The delay in identification and disclosure raises security concerns about why such an attack went unnoticed and unreported in the said 25 months.

In the attack, the unknown hackers accessed reference copies of the electoral registers retained by the Commission for permissibility checks on political donations and research purposes. The registers contained the name and address of UK voters who registered in the said 8-year period, as well as name and address of overseas voters.

The details of voters registered anonymously were not found in these registers.

Additionally, the Commission’s email system was also accessed by the threat actors, thereby exposing personal details of voters. The data includes name, home and email address, phone number, and any personal image shared with the Commission.

However, financial information like donations and loans to registered political parties and non-party campaigners remains secure. The Commission went on to assure the public that the overall electoral process, including voters’ registration status also remained unaffected.

Further downplaying the incident, it said that ‘’No immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorized use or release of their personal data.’’

In the statement, the Commission revealed that it had taken the necessary steps to mitigate the security concerns, including bolstering the system against external attacks and protecting voters’ personal data. It also partnered with third-party security experts and the UK National Cyber Security Centre to investigate and enhance its security system.