Proofpoint has written a blog discussing its research into an EvilProxy-based campaign targeting high-level business leaders across 100 global organizations. Successful cloud account takeover incidents have increased over 100 percent over the last six months, with the ultimate goal of establishing persistent access to executive’s business accounts.
The main vector of attack is through the spoofing of legitimate cloud services, from the initial phishing email to redirecting users to legitimate looking sites capable of harvesting MFA-enabled credentials. Based on observations of which credentials are then exploited, Proofpoint researchers believe the threat actor is utilizing an automated process to pinpoint “VIP” level credentials. Proofpoint provides IOCs related to this campaign and encourages organizations to protect against hybrid email-cloud threats by monitoring account activity to determine if it has been taken over, among other mitigations. Read more at Proofpoint.