Phishing, Email security, Security Staff Acquisition & Development
US executives targeted in EvilProxy recruitment phishing campaign

Threat actors targeted U.S. executives using a phishing-as-a-service platform and a fake Indeed site. (Adobe Stock Images)
Threat actors used the EvilProxy phishing-as-a-service platform and a fake Indeed recruitment website links to steal credentials from senior U.S. executives employed across a range of industries.EvilProxy is a tool researchers expect will grow in popularity among hackers due of its easy-to-use features and ability to circumvent certain multi-factor authentication (MFA) security measures.Menlo Labs identified the latest campaign, which was not attributed to a specific threat group but predominantly targeted executives working in senior roles in the banking and financial services, insurance, property management, real estate, and manufacturing sectors. In an Oct. 3 blog post, Menlo Labs threat researcher Ravisankar Ramprasad described the campaign as a classic example of an adversary-in-the-middle (AiTM) phishing attack where session cookies were harvested, enabling threat actors to bypass MFA protections.Targets were sent a phishing email containing an open redirect URL with an indeed.com domain which redirected to a phishing website, created using EvilProxy, that mimicked a Microsoft 365 login page.Redirect URLs are used legitimately to send visitors from one website to another, and contain a data string used by the destination website to understand the visitor’s web journey.The use of the Indeed domain redirect URL in the phishing email “makes an unsuspecting victim believe the redirection resulted from a trusted source,” Ramprasad said.The phishing site acts as a reverse proxy, allowing the threat actor to intercept requests to and from the legitimate server, and to steal the session cookies. The cookies can then be used by the attacker to bypass non-phishing resistant MFA security when logging in using the victim’s credentials.“The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site,” Ramprasad said. “This helps in harvesting the session cookies.”With account compromise typically being only the first stage in a threat group’s attack chain, this particular campaign could lead on to business email compromise attacks, in turn leading to identity theft, intellectual property theft or financial losses, Ramprasad said.Menlo Labs had informed Indeed of the open redirect vulnerability, its active exploitation, and “the criticality and severity that this threat poses,” he said.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds