A sophisticated phishing campaign has recently come to light, with its primary target being key executives in U.S.-based organizations who use Microsoft 365 accounts. This campaign exploits open redirects on the widely-used job listing website Indeed.com to launch its attacks.
By leveraging the EvilProxy phishing service, threat actors can harvest session cookies, which enables them to circumvent multi-factor authentication (MFA) safeguards. Researchers from Menlo Security have identified that the victims of this phishing campaign predominantly include high-ranking employees from various sectors, such as electronic manufacturing, banking, real estate, insurance, and property management.
Open redirects are legitimate URL links used to direct users automatically to other online locations, often third-party websites. However, cybercriminals exploit open redirects, which are vulnerabilities in website code, to redirect users to phishing pages, taking advantage of the trustworthiness of the original link.
In this particular campaign, attackers employ an open redirect on Indeed.com, an American job listing platform. Victims receive seemingly legitimate emails containing an Indeed.com link that, when clicked, leads them to a phishing site posing as a reverse proxy for Microsoft’s login page.
EvilProxy serves as a phishing-as-a-service platform, using reverse proxies to mediate communication between the target and the actual online service, in this case, Microsoft. When victims access their accounts through this phishing server, which closely mimics the authentic login page, the attackers can capture authentication cookies.
Since users have already completed MFA during login, these acquired cookies provide cybercriminals with full access to victims’ accounts. To combat this growing threat, researchers have identified various artifacts from the attack, linking it to EvilProxy, and further efforts are being made to identify and apprehend the masterminds behind this campaign.