A Microsoft 365 phishing campaign has targeted over 100 companies since March and successfully compromised accounts belonging to senior business executives. The attackers used EvilProxy, a phishing toolkit that uses reverse-proxy tactics to bypass multifactor authentication (MFA).\n\n"Contrary to what one might anticipate, there has been an increase in account takeovers among tenants that have MFA protection," researchers from security firm Proofpoint said in a report. "Based on our data, at least 35% of all compromised users during the past year had MFA enabled."\n\nProofpoint reports seeing a 100% rise in successful cloud account takeover incidents over the past six months with attackers improving their techniques and even filtering compromised targets by their organizational roles in what seemed to be an automated manner. Out of hundreds of accounts that were accessed by attackers, 39% were C-level executives, 17% were chief financial officers, and 9% were presidents and CEOs. When it came to lower-level management and personnel, the attackers focused on users with access to financial assets or sensitive information.\n\nPhishing campaign impersonates trusted services\n\nThe phishing messages masqueraded as automated emails generated by trusted services or applications such as business expense management system Concur, DocuSign, and Adobe Sign. They claimed to contain either expense reports requiring approval or documents that needed to be signed.\n\nThe URLs included in the rogue emails took victims through a series of redirects. First through an open redirect script from a legitimate website, such as YouTube or SlickDeals. From there, the victims' browsers were redirected several more times through various pages and 404 errors with the likely intention of scattering the traffic and making discovery by automated tools harder.\n\n"In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email, and used legitimate websites that have been hacked, to upload their PHP code to decode the email address of a particular user," the researchers said. "After decoding the email address, the user was forwarded to the final website -- the actual phishing page, tailor-made just for that target\u2019s organization."\n\nEvilProxy and the rise of phishing-as-a-service tools\n\nThe phishing page, which masqueraded as a Microsoft 365 login page, was set up using EvilProxy, a phishing service that provides users with a simple GUI to run and manage their campaigns and does all the work in the background. EvilProxy functions as a reverse proxy, where the service is positioned between the user and the real login page, relaying requests and responses back and forth between them. From the victim's perspective, it's like they're interacting with the real website, but the attacker gets to see everything that gets transmitted between the two parties, including the login credentials and MFA codes. EvilProxy claims to be able to bypass MFA on Apple, Gmail, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and other popular websites.\n\nTools like EvilProxy are part of a recent trend where phishing kits are provided as a service, making it easy for even low-skilled cybercriminals to set up a powerful phishing campaign. All they need is to choose some options on a point-and-click interface. "This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity," the Proofpoint researchers said.\n\nPost-compromise activity\n\nThe attackers behind the campaign observed by Proofpoint clearly prioritized VIP targets whose accounts were accessed in seconds after their credentials were compromised, while less interesting accounts were never actually accessed even if their owners fell for the phishing attack.\n\nTo set up persistent access to high-value accounts the attackers used a Microsoft 365 application called My Sign-Ins that allows users to manage their organizations and devices, and to view their authentication sessions. More importantly, the app also allows users to change their account security settings, including changing or adding MFA methods.\n\nThe attackers added their own authentication app with time-based one-time passwords -- TOTP codes -- in addition to the user's Microsoft Authenticator, which uses push notifications to the mobile device. This allowed them to access the account later if the victim didn't change their password.\n\n"The attackers have been known to study their target organizations\u2019 culture, hierarchy, and processes, to prepare their attacks and improve success rates," the researchers said. "In order to monetize their access, attackers were seen executing financial fraud, performing data exfiltration or partaking in hacking-as-a-service (HaaS) transactions, selling access to compromised user accounts."\n\nTo defend against such attacks Microsoft advises organizations to implement MFA methods that cannot be intercepted via proxy techniques, such as physical USB keys that are compatible with the FIDO2 standard or certificate-based authentication. Conditional access policies can also be used to evaluate sign-in requests based on device identity and location and implement continuous access evaluation to detect when existing valid authentication tokens are not being used from the devices or apps they were issued to.