Diving into details

• The campaign employed the EvilProxy phishing kit against potential targets.
• The phishing pages masquerade as Microsoft, as part of the Adversary in the Middle (AiTM) phishing method.
• This kit operates as a reverse proxy, standing between the client and the legitimate website, hence allowing it to harvest session cookies.
• Such an action can bypass security measures like non-phishing-resistant MFA. 

Modus operandi

• Phishing pages, deployed by EvilProxy, dynamically fetched content from legitimate login sites. 
• Subsequently, the phisher could intercept server communications and steal session cookies, enabling them to impersonate victims and bypass MFA.

Why this matters

Open redirection vulnerability plays a critical role in this malicious scheme. Essentially, it’s when an application redirects users to an untrusted external domain. This flaw can exploit the trust users have in the original source, misleading them into believing they’re accessing a legitimate site when they are, in reality, being directed to a malicious one.

The bottom line

This campaign highlights the escalating threats that organizations face from threat actors due to the use of sophisticated tools and trusted platforms to hoodwink their targets. To mitigate such threats, it is recommended to educate employees through regular training sessions, implement robust security protocols, continuously monitor network traffic, and maintain updated threat intelligence to identify and counteract emerging threats.