EvilProxy Uses Indeed.com Open Redirect For Microsoft 365 Phishing

Cyber Security Threat Summary:
A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms. Researchers at Menlo Security report that the targets of this phishing campaign are executives and high-ranking employees from various industries, including electronic manufacturing, banking and finance, real estate, insurance, and property management. Open redirects are weaknesses in the website code that allow creating redirections to arbitrary locations, which threat actors have used to direct to a phishing page. Because the link comes from a trustworthy party, it can bypass email security measures or be promoted on search results without raising suspicion” (Bleeping Computer, 2023).

Security Officer Comments:
In the latest campaign uncovered by Menlo, threat actors are sending open redirect links for indeed.com to unsuspecting users via email. At first glance, the links look legitimate as they are impersonating indeed. However, when clicked on, they will redirect the recipient to a phishing site acting as a reverse proxy for Microsoft’s login page, which researchers say was deployed with the help of the EvilProxy phishing framework. In the event that the user tries to log in to their Microsoft account, the site will intercept the legitimate server’s request, and enable the actors to steal the session cookies, which can be further used to login to the legitimate Microsoft Online site. Since the users would be asked to complete multi-factor authentication during the login process, this also enables actors to bypass MFA protections that are in place.

Suggested Correction(s):

  • Educate users through awareness sessions and training.
  • Usage of phishing resistant MFA like FIDO based authentication like Yubikeys.
  • Ensure to verify whether the target URLs are also as legitimate as the source instead of assuming them to be safe.
  • Use session isolation solutions like HEAT Shield that will protect the users from zero hour phishing attacks in real time.