A new EvilProxy phishing attack is leveraging an open redirection flaw from the legitimate Indeed.com job search site, according to a report from Menlo Security, a cloud-based security company. Menlo Security notes this phishing attack campaign targets C-suite employees and other key executives at U.S.-based organizations primarily in manufacturing, insurance, banking and financial services, property management and real estate.

Jump to:

What is EvilProxy?

EvilProxy is a phishing-as-a-service kit that has been around since at least September 2022. This kit allows an attacker to successfully bypass two-factor authentication by using a reverse proxy functionality. To achieve that operation, the EvilProxy service sets up a phishing website according to selected options before the kit is deployed on the internet. Once a user accesses the phishing page, they’re asked to provide their credentials and 2FA code. This information is used in real time by the kit to open a hijacked session on the legitimate service the attacker targets.

EvilProxy is being sold on the Dark Web as a subscription-based service with plans ranging from 10 to 31 days. Someone using the nickname John_Malkovich plays the role of administrator and intermediary assisting customers who have purchased the service, according to Menlo Security.

How this new phishing campaign abuses Indeed.com redirector

This new EvilProxy attack starts with a phishing email sent to targets. The email contains a link that abuses an open redirector from Indeed (Figure A).

Figure A

Phishing email sample that contains a redirection from the Indeed.com domain.
Phishing email sample that contains a redirection from the Indeed.com domain. Image: Menlo Security

Redirectors are web links that might be used on legitimate websites for different reasons; however, redirectors need to be well implemented so they’re not abused. An open redirection is a redirection that can reroute the browser to any external domain.

In this attack, the threat actor takes advantage of a t.indeed.com subdomain, which is an open redirector when being provided with correct parameters:

https://t.indeed.com/r?parenttk=1ddp6896a2tsm800&target=https://youtube.com

Once the target clicks the link, they’re redirected to a fake Microsoft login page, which is provided by the EvilProxy kit. The unsuspecting target provides their credentials and 2FA code to the phishing page. On the server side, the kit uses those credentials and 2FA in real time to provide the attacker with a valid session cookie, which can be used to access the victim’s resources on the Microsoft website (Figure B).

Figure B

Attack chain representation with EvilProxy being used as a reverse proxy.
Attack chain representation with EvilProxy being used as a reverse proxy. Image: Menlo Security

In addition to the redirection from Indeed.com, two other redirections follow, controlled by the attackers (Figure C).

Figure C

Phishing redirection flow.
Phishing redirection flow. Image: Menlo Security

Technical evidence of EvilProxy usage

According to the researchers, the phishing pages are hosted on common URI paths that are often used by EvilProxy:

  • /ests/2.1/content/
  • /shared/1.0/content/
  • /officehub/bundles/

The phishing kit also uses Microsoft’s Ajax Content Delivery Network to help with dynamic fetching and rendering of JavaScript content.

An HTTP POST request contains the victim’s base64-encoded email address and a session identifier, which is also typical of the EvilProxy phishing kit. The FingerprintJS library is also used for browser fingerprinting.

Researcher Ravisankar Ramprasad explains that IP addresses running on NGINX servers replying with a “407 Proxy Authentication Required” are also indications of EvilProxy, as well as sites with 444 status code with subdomains such as lmo., auth., live., login-live. and mso.

Which industries are targets of this phishing campaign?

In addition to manufacturing, insurance providers, banking and financial services, property management and real estate, other impacted sectors in decreasing order are electronic components manufacturing, pharmaceuticals, healthcare and construction. Approximately 3% of the targets are in other sectors that include software, business consulting, accounting, supply chain management and logistics (Figure D).

Figure D

Distribution of verticals targeted in this phishing campaign.
Distribution of verticals targeted in this phishing campaign. Image: Menlo Security

How to mitigate this EvilProxy phishing threat

Service providers and websites shouldn’t allow redirections without proper control and sanitizing of the parameters provided to the redirector. Most redirectors should be configured to only allow internal links. If a website does need a redirection to an external link, additional security measures, such as using whitelists of external domains, must be deployed.

Employees should be trained to detect phishing email and malicious links that might be contained in them. In case of doubt, employees must have an easy way, possibly via a clickable button in their email client, to report a suspicious email to the IT security staff for further analysis. In addition, email security solutions must be deployed to detect phishing or malware infection attempts.

All operating systems and software should always be up to date and patched to avoid being compromised by a common vulnerability.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.