Cyber Intelligence Briefing Special: What is EvilProxy?

Readers of S-RM’s weekly bulletin, Cyber Intelligence Briefing, and our latest research, Cyber Security Insights Report 2022, will be aware that EvilProxy is a new phishing tool that swept onto the cyber threat landscape earlier this year.

In this special video edition of Cyber Intelligence Briefing, S-RM cyber experts Saad Nabeel and Tim Geschwindt provide a detailed overview of how the phishing platform works and discuss why the threat is such a concern. They also share advice on how businesses and individuals can try to mitigate the threat, but the message is clear - there is no ‘silver bullet’.

Man in the middle attack

Threat actors are using EvilProxy to craft targeted phishing emails that include links to customised phishing websites, which are designed to look like legitimate sign-in pages for services like Google Workspace and Microsoft 365. These phishing websites then redirect – or ‘proxy’– traffic from the user to legitimate login sites, allowing the threat actor to intercept user credentials, receive valid session cookies and effectively sit in the middle of the Multi Factor Authentication (‘MFA’) process.

Three areas of concern

Why is EvilProxy such a concern? There are three key areas:

1. Low barrier to entry. Readily available on the dark web, there are tutorials and write-ups available, meaning any ‘entry level’ threat actor can access and use this service quickly.
2. Complacency in the market. MFA has been marketed as a silver bullet to preventing unauthorised access to accounts, meaning many businesses are relying solely on MFA and not implementing other wraparound security procedures.
3. Theoretical risk became a reality. This new threat which appeared in September 2022 isn’t sitting on the dark web unused, it’s so well-crafted it is being deployed in widespread attacks.

Detection is difficult but not impossible

For a Microsoft-centric business, detection will come through your unified audit logs – but only if enabled. Look for these four indicators:

1. Suspicious login locations. For example a geography you don’t operate in, or lots of different geographies in a short time frame.
2. User agent strings. Look for ‘postman runtime’ on user agent strings (which are essentially finger prints of the device used to login).
3. Email rules. Once a threat actor has gained access they’ll want to set up rules to divert or hide email traffic in order to present to the legitimate user that there is nothing wrong with their mailbox.
4. Strange employee behaviour. Anything to do with changes to financial information, for example requests to edit invoices, should be interrogated.

Tips to protect yourself

There is no easy solution to EvilProxy, but there are four things you might consider:

1. Hardware tokens. Authenticating using hardware tokens, which are physical hardware items a little like USB drives, rather than an authenticator app.
2. Mobile device management. Using mobile management tools that allow you to implement additional conditional access policies to determine if the device is trusted or untrusted.
3. Password-less authentication. Moving away from passwords altogether and using other authentication methods, such as Windows Hello for Business.
4. User awareness/training. Phishing still relies on someone clicking a malicious link. User security awareness and training alongside constantly testing your workforce is key to making staff remain vigilant and know what to do if they suspect phishing.