How EvilProxy Uses Indeed.com to Phish Microsoft 365 Users

Phishing is a type of cyberattack that involves sending fraudulent emails or other messages that appear to come from legitimate sources, such as banks, social media platforms, or job portals. The goal of phishing is to trick the recipients into clicking on malicious links or attachments, or providing sensitive information, such as passwords, credit card numbers, or personal details.

One of the most common targets of phishing attacks is Microsoft 365, a cloud-based suite of productivity and collaboration tools that includes Outlook, Word, Excel, PowerPoint, Teams, and OneDrive. Microsoft 365 has over 300 million active users worldwide, making it an attractive target for cybercriminals who want to steal credentials, data, or money from unsuspecting users.

One of the latest phishing campaigns that targets Microsoft 365 users is called EvilProxy. This campaign uses an open redirect vulnerability in Indeed.com, a popular job search website, to redirect users to a fake Microsoft login page. The attackers use this technique to bypass email security filters and deceive users into thinking that they are accessing a legitimate website.

What is an open redirect vulnerability?

An open redirect vulnerability is a flaw in a web application that allows an attacker to redirect users to any arbitrary URL by modifying the parameters of a legitimate URL. For example, suppose that Indeed.com has a URL like this:

https://www.indeed.com/jobs?q=software+engineer&l=New+York

This URL will show the results for software engineer jobs in New York. However, if an attacker adds another parameter called redirect with a malicious URL as its value, like this:

https://www.indeed.com/jobs?q=software+engineer&l=New+York&redirect=https://evil.com

Then the user who clicks on this modified URL will be redirected to https://evil.com, which could be a phishing site or a malware download site. This is an example of an open redirect vulnerability, because Indeed.com does not validate or restrict the value of the redirect parameter.

An open redirect vulnerability can be exploited by attackers to perform phishing attacks, because they can use legitimate domains as a cover for their malicious URLs. For example, if an attacker sends an email with a subject line like “You have been selected for an interview” and a link like this:

https://www.indeed.com/jobs?q=software+engineer&l=New+York&redirect=https://login.microsoftonline.com

Then the user who clicks on this link will see Indeed.com in the address bar, but will be redirected to a fake Microsoft login page. The user may not notice the redirection and may enter their Microsoft 365 credentials on the fake page, giving the attacker access to their account.

How does EvilProxy work?

EvilProxy is a phishing campaign that uses an open redirect vulnerability in Indeed.com to target Microsoft 365 users. The campaign was discovered by researchers from Abnormal Security, who observed that the attackers sent out thousands of phishing emails with different subject lines and sender names, but with the same format and content.

The phishing emails claim that the recipient has been selected for an interview by a company called “Aerotek”, which is a real staffing agency. The email contains a link that supposedly leads to an online interview portal, where the recipient can schedule their interview and upload their resume. However, the link is actually a modified Indeed.com URL with an open redirect parameter that points to a fake Microsoft login page.

The fake login page looks identical to the real one, except for some minor differences in the URL and the logo. The page asks the user to enter their email address and password, and then redirects them to another fake page that asks for their phone number and verification code. The verification code is supposed to be sent by SMS or phone call, but it is actually generated by the attackers using an online service called Twilio.

The attackers use Twilio to send SMS or make phone calls to the victims, pretending to be Microsoft. They ask the victims to enter the verification code on the fake page, which allows them to bypass the two-factor authentication (2FA) mechanism of Microsoft 365. Once they have the verification code, they can access the victim’s Microsoft 365 account and perform various malicious activities, such as stealing data, sending spam emails, or installing malware.

How can you protect yourself from EvilProxy?

EvilProxy is a sophisticated phishing campaign that exploits an open redirect vulnerability in Indeed.com and uses Twilio to bypass 2FA. However, there are some steps that you can take to protect yourself from falling victim to this campaign or similar ones:

Best practices for two-factor authentication

Two-factor authentication (2FA) is a security feature that requires you to provide two pieces of evidence to verify your identity when you log in to an online account. The two pieces of evidence are usually something you know, such as a password, and something you have, such as a phone or a token. 2FA can help you prevent unauthorized access to your account, even if someone steals or guesses your password.

However, 2FA is not perfect, and it can be bypassed by some phishing techniques, such as EvilProxy. Therefore, you should follow some best practices to make 2FA more effective and secure: