Black Arrow Cyber Advisory 07/09/2022 – Phishing-as-a-Service Platform that bypasses MFA lets all hackers use advanced phishing tactics (Updated 25/11/2022)
Update: 25/11/2022: There has been a number of sources that have noted a steady increase in these attacks.
Executive Summary
EvilProxy, a Phishing-as-a-Service (PaaS) platform allows low-skill malicious actors to bypass Multi-Factor Authentication from multiple different service providers, using techniques similar to those outlined in the previous cyber advisory on 19/07/2022, where Microsoft detected a new phishing campaign that had the potential to bypass MFA if additional controls were not in place. Malicious actors can pay for the service via a subscription model that allows them to setup and manage phishing campaigns in a similar fashion to phishing simulation training.
What’s the risk to me or my business?
As advanced phishing techniques become available to low-skill threat actors, it is expected that there will be an increase in phishing campaigns going forward. These particular campaigns are more dangerous as they have the potential to bypass security controls such as Multi-Factor Authentication.
What can I do?
Continue to follow the advice issued with the previous threat alert: Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA. As this platform can be used against different services including Apple and Google, it is important to have these controls in place across the business estate where possible.
A full breakdown of this particular phishing platform is available here: New EvilProxy service lets all hackers use advanced phishing tactics (bleepingcomputer.com)
Update: Microsoft Detection and Response Team (DART) has provided an updated blog post on how these attacks have increased and evolved over time, with the focus being on stealing cookies in comparison to stealing credentials. Recommended protections include management and oversight on end user devices to ensure that they are kept up to date with patches and anti-virus definitions, reducing the lifetime of authenticated sessions and the implementation of Conditional Access application control. Further information can be found here: Token tactics: How to prevent, detect, and respond to cloud token theft - Microsoft Security Blog
Need help understanding your gaps, or just want some advice? Get in touch with us.