What is the threat?
EvilProxy is a tool that’s increasingly being used by cybercriminals to trick people into revealing their login information, even if they have extra security measures in place like two-factor authentication. Researchers have noticed a significant increase in these attacks over the past five months.
Proofpoint, a cybersecurity company, has been studying these attacks and found that EvilProxy is behind a large-scale campaign where it sends emails to people pretending to be trusted companies like Adobe, Concur or DocuSign. If someone clicks on the links in these emails, they get redirected through various websites to a fake login page for Microsoft 365. This fake page looks real and can even match your organization’s style and branding.
What’s unusual and interesting is the attackers are selective; they focus more on high-ranking targets like CEOs and CFOs and ignore lower-level employees. Once they compromise a Microsoft 365 account, they add their own two-factor authentication to maintain control.
EvilProxy is sold to cybercriminals for $400 per month and can target accounts from various big companies like Apple, Google, Facebook, Microsoft and others. It’s a growing threat that has been proven to trick C-suite executives, and once it is launched, it is hard to stop. The best defense is to be cautious, use strong email filters, and consider using physical security keys for protection.
Does it impact Network 1 clients?
It can affect nearly any company and is likely the main reason why intrusions and breaches across businesses in general have sharply increased in recent months.
What is Network 1 doing to help their clients with this threat?
We have improved and are continuing to enhance many Offices 365 standards to reduce the risk of this threat. These include creating customized, branded login pages, developing Conditional Access policies that cannot be modified by attackers, and advancing system monitoring to more quickly detect and respond to threats, and we are pleased to already see positive impacts from these changes. One of our engineers recently looked at a client’s environment and noticed a thwarted malicious access attempt that would likely have succeeded prior to these changes.
What do Network 1 clients need to do on their end?
As always, all employees – particularly those in senior levels – should remain vigilant anytime they are interfacing with login portals, receive email links or browse on the web. Continue to educate your team on best practices, what they should look out for, and how to avoid risky behaviors.
To read more details on EvilProxy, see this article. And if you have further questions on this, or any other, threats, don’t hesitate to contact us for additional information.