Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting

Assessing the impact of a phishing attack holds critical importance in incident response. This provides valuable insight into the extent of the affected accounts in the organization. Through the lens of Trend MxDR, we were able to thoroughly scope the recipients of the phishing emails and those who interacted with the phishing link, potentially disclosing their credentials.

Furthermore, our investigation unveiled a series of additional Dracoon links used within this phishing campaign. These links also impersonated Microsoft 365, with the aim of stealing credentials and bypassing MFA using session cookies. The attackers employed an array of message subject lines, such as “Shipping Document,”  “New Brazil File,”  “China Shippement,”  and “Document from China.”  The efforts of our MxDR team allowed us to successfully trace the compromised accounts and promptly recommend that the affected users change their passwords.

MFA is often praised as a robust defense against credential theft and unauthorized access. While it is undoubtedly a powerful security tool, it’s important to recognize that MFA is not a silver bullet when it comes to safeguarding online accounts and sensitive information.

As we’ve discussed in this blog, the limitations of MFA become evident when considering threats like EvilProxy attacks. These malicious actors can intercept and manipulate network traffic, effectively bypassing the added layer of security that MFA offers.

The use of to host the PDF file provided threat actors with an effective means to circumvent email security measures. By abusing legitimate file-sharing services, the attackers were able to significantly improve their success rates while evading detection. Legitimate services can often bypass most of the security measures in place, making them attractive tools for threat actors.

Incidents like the one discussed in this blog entry also serves as a reminder that emails from known or trusted senders do not guarantee that they are wholly legitimate. Users must remain vigilant and exercise caution when clicking on links or downloading attachments, even from trusted sources.

Trend MxDR can prove to be highly efficient in detecting phishing attacks that involve the use of reverse proxies like EvilProxy. By continuously monitoring network traffic, analyzing patterns, and leveraging threat intelligence, MxDR can promptly identify such attacks and alert affected customers.

Here are several proactive measures and mitigation strategies that organizations can implement:

  1. Security Awareness: Conduct regular awareness sessions and comprehensive training programs to educate users. By providing detailed information and practical guidance, users can develop a strong understanding of potential risks and how to mitigate them. Furthermore, it is essential to emphasize the importance of verifying the legitimacy of target URLs before accessing them. Rather than assuming all URLs are safe, users should be encouraged to exercise caution and employ reliable methods to confirm the authenticity and security of the websites they visit. Conducting regular phishing attack simulation exercises serves as a proactive approach to raising awareness among employees.
  2. Implement Phishing Resistant MFA: One of the recommended measures to enhance security is the use of phishing-resistant MFA. By implementing MFA methods that are resilient against phishing attacks, such as FIDO-based authentication with devices like YubiKey or password-less MFA, organizations can significantly strengthen their authentication processes and protect against credential theft.
  3. Email Security: Organizations can protect their employees and users from malicious email threats by implementing an email security solution like Trend Email Security. Implementing Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) will also enhance email security.
  4. Continuous Monitoring: It is highly recommended to establish a robust system for continuous monitoring by centrally collecting and closely monitoring logs, particularly Microsoft 365 access and MFA logs to promptly identify, investigate and respond to any suspicious access activities. Automation should also be considered to swiftly disable or lock account access in response to suspicious indicators such as impossible travel or brute-force attempts.

The indicators of compromise for this entry can be found here.