July 30, 2024 at 10:37AM
EvilProxy, a phishing kit known as the “LockBit of phishing,” is being used to launch attacks using legitimate Cloudflare services to disguise malicious traffic. Criminals are offered customer support, videos, and guides to launch campaigns and disguise their activity. Notable threat actors, TA4903 and TA577, have adopted EvilProxy for their phishing expeditions. There is an increase in PhaaS platform usage, emphasizing the need for phishing-resistant MFA and ongoing employee training to protect against such threats.
Key takeaways from the meeting notes:
– EvilProxy, a phishing kit sold on dark-web marketplaces, is being used to launch phishing attacks using legitimate Cloudflare services to disguise malicious traffic.
– Proofpoint has observed about a million EvilProxy threats every month, and there has been a significant increase in the use of Cloudflare services to disguise their traffic.
– Phishing campaigns using EvilProxy have targeted C-Suite executives, with a potential access to lucrative targets.
– The attackers are able to steal session cookies and MFA tokens, allowing them to sign in to legitimate Microsoft accounts.
– Notable threat actors TA4903 and TA577 have recently adopted the use of EvilProxy in their phishing campaigns.
– EvilProxy has been improved with better bot detection and new bot guard features, and users can now add their own bots and test their messages directly from the web interface.
– The rise in EvilProxy and similar phishing kits illustrates the need for network defenders to use phishing-resistant MFA and cloud security tools, as well as emphasizing the importance of user awareness and ongoing employee training to protect against phishing and other threats.