top of page

EvilProxy Phaas (phishing-as-a-service) bypasses MFA

Multifactor authentication (MFA) has been the de-facto standard to protect against phishing attacks. However, as MFA adoption is growing, so are the attackers trying to bypass it.

Threat actors are now productizing established MFA bypass techniques by offering phishing as a subscription service. One such example has recently emerged on the Dark Web and is called EvilProxy, as documented by Resecurity.

Using techniques earlier documented by Microsoft, EvilProxy leverages the "reverse proxy" principle. The concept behind a reverse proxy is simple: bad actors lead victims to a phishing site, use the reverse proxy to retrieve all the legitimate content the user expects, including login pages. This way they can collect valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.

The technique is also called Adversary-in-the-Middle (AitM) phishing attack and crucially does not require the threat actor to have prior access to the victim's computer.

Credit: Microsoft 365 Defender Research Team (from their blog)

EvilProxy acts just like a legitimate subscription service and makes it very easy to launch sophisticated MFA bypassing attacks. It includes payment options, various packages and a concerted "sales" effort on the Dark web. It supports well known online services such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others.

Also, it supports MFA bypass for online code repos such as PyPI, which recently turned on MFA for some of its most popular projects, precisely because of frequent phishing attacks. Offering MFA bypass for code repositories indicates threat actors are targeting software developers to gain access to their code base with the ultimate goal of compromising software supply chains.

Multifactor authentication is not broken, but the pace of innovation in phishing attacks is relentless and probably means organizations will have to adapt quickly. This means looking into more automated security awareness training (SAT) as well as modern Fast ID Online (FIDO) v2.0 authenticators and Identity-as-a-service (IDaaS) solutions, offering more intelligent and granular login policies, especially around unfamiliar sign-in events from unusual countries, times of day, etc.

Read more on EvilProxy Phishing-as-a-service at Help Net Security.

bottom of page