EvilProxy Malware Steals Session Tokens bypassing MFA on Victim’s Email Account

EvilProxy bipassing MFA to take over victims email account.
EvilProxy malware bypasses MFA to take over victims email account.

Aug. 29th 2024 Update:  This reddit thread provides some valuable instructions for a way to prevent these attacks within your O365 environments, without the requirement for an E2 or above license.

An E2 and above Microsoft license allows you to enable Conditional Access called “Require token protection for sign-in sessions.” which prevents authentication Token replay attacks like this.  Why doesn’t Microsoft include this protection at all levels of licensing?!?!

How to protect Against Post Authentication Token attacks in O365 without E2 or above licensing?

According to Reddit user, LookingatCrows, you can set your conditional access policies in O365 to prevent the reuse of stolen authentication tokens.  To do this follow these steps:

1. Require Compliant Device

Compliant devices must meet specific requirements set within Intune.  Only devices in Intune can have compliance policies assigned to them, which is what the conditional access setting relates to.  

2. Block platforms not permitted for user

Make your devices (a) hybrid joined, (b) Entra joined,  or (c) pulled through from another MDM via integrations.  Block personal enrollment of devices too. This brings the ability to sign in on a platform from billions of devices to just those that the company owns.

3. Restrict by Organization locations where possible.

This is the geolocation protections that would prevent users from logging in remotely from countries or locations not permitted.

Feb. 7th 2024 Update – Hackers are embedding malicious evil-proxy links in innocuous looking “Unsubscribe” Links. 

Recent first-hand experience at CyberHoot found malicious unsubscribe links that stole session-cookies to the email and bank accounts of a user.  The hacker stole the Email session and a banking session token, which was the downfall of the attack. When they updated the email address on the Bank account and changed the login password, the Bank Fraud department called within minutes asking about the activity.  From their the incident was resolved within 30 minutes.

Incident Lesson’s learned:

  1. Do not EVER let your guard down on ANY email you receive.  It can be a general notice email, or a favorite charity, or a workout club advertisement.  It does not need to be urgent or emotional.  Before clicking “Unsubscribe” apply ALL the phish training you’ve learned from HootPhish (or others). Start by looking for typo-squatted domains.
  2. Ensure you have Multi-Factor Authentication enabled on all your accounts for every activity including password resets.
  3. Freeze your Credit everywhere.  Here’s how.
  4. File your taxes early.  In this incident, the hacker had access to the SSN, DOB, and Address of the user.  Everything they need for Identity Theft or filing taxes for a big juicy refund sent to the location of their choice.

Aug. 10th, 2023 – Microsoft has reported a large number of accounts taken over despite having MFA enabled; evilproxy the culprit.

CyberHoot vCISO’s had two (2) M365 account compromises in the last 24 hours. We did research on what may be happening to breach MFA-enabled accounts. This is what we learned.
 
An incident was reported on yesterday by Bleeping Computer, in which they reported on unknown hackers, thought to be from Greece, targeted more than 120,000 Microsoft 365 email accounts using the “EvilProxy” hacker malware in their attack.

Overview of how Evil Proxy Works:

EvilProxy Overview
The reason this works so well, is that the victim’s sessions appear to work just fine while logging into their 365 account.  The hacker’s stolen session key allows them to bypass MFA allowing them to setup a new MFA token, change forwarding rules and do anything else they want as they have already been granted access to the hacked users O365 email account.
 
Warning: If you’re not worried simply because you aren’t an O365 account user, think again.  EvilProxy has client versions that attack Apple, Google, Twitter, GitHub, GoDaddy, and PyPI email accounts as well.
 
After the Hackers are In, What Happens Next?
  1. Once a Microsoft 365 account is compromised, the threat actors add their own multi-factor authentication method (via Authenticator App with Notification and Code) to establish persistence.
  2. They may also add Email “Rules” to hide their presence and the communications they start performing.  Often they will scrape all email addresses one has communicated with and begin sending out a similar phishing campaign to exploit the trust given by the compromised email account holder’s contacts.  “This email came from the CFO of Company. I trust that person, I’ll click on their Adobe document or their PDF attachment and I’ll authenticate to view it.
How to Improve Protections from EvilProxy in your Email Systems:
  1. Implement conditional access through your Microsoft License for your email to limit logins to specific devices and geographic locations.  If available with your license, consider enabling “Impossible Travel” restrictions.
  2. If available, use Microsoft InTune to deny acces to untrusted devices (configure such a policy in your own specific mobile device management solution).
  3. Enable and leverage password-less authentication methods such as Windows “Hello” for Business (but note your organization must have biometric identification capable devices [face, fingerprint, or iris recognition]).
  4. Consider using a hardware token for MFA method (FIDO2 Security keys). Note this too requires biometric capable end user devices.
Other Measures to Consider:
  1. Train employees on how to spot and delete phishing attacks.
  2. Test employees with innovate phishing simulations like CyberHoot’s HootPhish offering. This is a positive, educational, assignment-based Phishing simulation and test.  The simulation results in a much more cyber literate employee capable of spotting phishing attacks independently, confidently, and efficiently.
What Do you Do After An Attack?
  1. Reset the victim’s password and revoke all logged in sessions.  Please Note: Microsoft 365 cannot revoke their session tokens.  Therefore a Hacker can remain active in the account for between 1 hour and 1 day.
  2. Revoke and and all unexpected changes to MFA configurations on the account.
  3. Search for and remove all unexpected inbox Manipulation “Rules”.
  4. Disable external Forwarding rules (Note: This can be done at the domain level for all user accounts and may be a good decision moving forward.  Be sure to seek proper approvals before disabling all forwarding.)
  5. Watch out for emails containing typo-squatted domains.
  6. Search for evidence of stolen Session-IDs.
  7. Abnormal activity from unusual IP addresses or locations in the mail audit logs of compromised accounts.
  8. Run a Malware scan on the device in question.  While it is not commonly associated with malware, these events have a habit of expanding into other avenues of compromise including malware deposit.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.