Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page EvilProxy uses indeed.com open redirect for Microsoft 365 phishing

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


Reply
 
Thread Tools Display Modes
  #1  
Old 05-19-2025, 12:03 PM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings.
The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.
Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management.

Campaign targets
Redirects are legitimate URLs that take visitors automatically to another online location, typically a third-party website.
Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page.

Open redirect example
Because the link comes from a trustworthy party, it can bypass email security measures or be promoted on search results without raising suspicion.
In the campaign that Menlo Security discovered, threat actors leverage an open redirect on indeed.com, the American site for job listings.

Redirect chain
The targets receive emails with an indeed.com link that looks legitimate. When accessed, the URL takes the user to a phishing site acting as a reverse proxy for Microsoft’s login page.

Phishing page used in the campaign
EvilProxy is a phishing-as-a-service platform that uses reverse proxies to facilitate communication and relay user details between the target and the genuine online service, Microsoft in this case.
When the user accesses their account via this phishing server, which mimics the authentic login page, the threat actor can capture the authentication cookies.
Because users have already completed the required MFA (multi-factor authentication) steps during login, the acquired cookies give cybercriminals full access to the victim account.

Overview of the attack
Menlo has recovered several artifacts from the attack that make attribution to EvilProxy more confident, such as:
  • Nginx server hosting

  • Specific URI paths previously linked to the service

  • Requirement for proxy authentication

  • Presence of 444 status code in the server response

  • Presence of IDS signatures designed for recognizing EvliProxy uri content

  • Usage of FingerprintJS library for browser fingerprinting

  • Usage of specific POST requests that contain victim emails in base64-encoded form

In August 2023, Proofpoint warned of another EvilProxy campaign, which distributed approximately 120,000 phishing emails to hundreds of organizations, targeting their employees’ Microsoft 365 accounts.
Unfortunately, the use of reverse proxy kits for phishing is growing and combining them with open redirects increases the success of a campaign.
https://www.bleepingcomputer.com/new...-365-phishing/
Reply

Tags
NULL

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 10:01 AM.

Contact Us - Carder.life - Archive - Top