EvilProxy Cyberattack Flood Targets Execs via Microsoft 365

A campaign sent 120,000 phishing emails in three months, circumventing MFA to compromise cloud accounts of high-level executives at global organizations

Attackers have unleashed an EvilProxy
phishing
campaign to target thousands of Microsoft 365 user accounts worldwide, sending a flood of 120,000 phishing emails to more than 100 organizations across the globe in the three-month period between March and June alone. The goal? To take over C-suite and other executive accounts, in order to mount further attacks deeper within the enterprise.
The ongoing campaign uses a combination of
phishing tactics
— including
brand impersonation
, scan blocking, and a multi-step infection chain — to successfully take over cloud accounts of top-level executives, researchers from Proofpoint
revealed
.
Over the last six months, Proofpoint observed a significant surge of more than 100% in these takeovers. The compromises occurred at organizations that collectively represent 1.5 million employees worldwide.
Attackers use of
EvilProxy
, a phishing-as-a-service offering that uses reverse proxy and cookie-injection methods, allowed them to bypass multi-factor authentication (MFA) in the attacks. Indeed, though MFA use is often cited as a prevention mechanism for phishing, EvilProxy and similar reverse-proxy hacker tools are making it easier for bad actors to crack.
If needed, these pages may request MFA credentials to facilitate a real, successful authentication on behalf of the victim — thus also validating the gathered credentials as legitimate, Proofpoints Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet, and Eilon Bendet
wrote in a blog post
.
Moreover, once credentials were obtained, the actors wasted no time in logging into executives cloud accounts, gaining access in mere seconds. They proceeded to gain persistence to compromised accounts by leveraging a native Microsoft 365 application to add their own MFA to My Sign-Ins, the researchers said. Their preferred method for doing this was Authenticator App with Notification and Code.
Contrary to what one might anticipate, there has been an increase in account takeovers among tenants that have MFA protection, the researchers wrote. Based on our data, at least 35% of all compromised users during the past year had MFA enabled.
A typical EvilProxy attack begins with attackers
impersonating
known trusted services, such as the business expense management system Concur, DocuSign, and Adobe. They used spoofed email addresses to send phishing emails purporting to come from one of these services that contained links to malicious Microsoft 365 phishing websites.
Clicking on one of these links would set off a multi-step infection chain in which user traffic is first redirected to an open, legitimate redirector — such as YouTube, among others. Traffic then may undergo several more redirections, which involve malicious cookies and 404 redirects.
This is done to scatter the traffic in an unpredictable way, lowering the likelihood of discovery, the researchers wrote.
Eventually, user traffic is directed to an EvilProxy phishing framework, a landing page that functions as a reverse proxy, mimicking recipient branding and attempting to mimic third-party identity providers.
Despite the volume, attackers were extremely targeted in their approach, going right to the top of the organizational food chain by targeting C-level executives in about 39% of the attacks. Of that number, 17% of those targets were CFOs and 9% were presidents and CEOs.
Both the success of attackers to breach MFA and the scale of the attack demonstrates the
evolving sophistication
of phishing attacks, which demands a response from organizations to level up on security, noted one security expert.
The scale and audacity of the EvilProxy phishing campaign is deeply concerning, Colin Little, security engineer for cybersecurity firm
Centripetal
, wrote in an email to Dark Reading. Its a stark reminder that no security measure is bulletproof, and cybercriminals are continually finding new ways to exploit vulnerabilities.
He recommended the deployment of proactive cybersecurity intelligence to monitor for unusual activities, emerging threats, and potential vulnerabilities to bolster organizations defenses and maintain a more robust cybersecurity posture.
Indeed, though many organizations know about the effectiveness of EvilProxy as a
phishing
tool, the Proofpoint researchers noted a concerning gap in public awareness regarding its risks and potential consequences.
The company recommends blocking and monitoring malicious email threats, identifying account takeover and unauthorized access to sensitive resources within the cloud, and isolating potentially malicious sessions initiated by links embedded in email messages as among a number of phishing-mitigation efforts.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
EvilProxy Cyberattack Flood Targets Execs via Microsoft 365