Researchers from Proofpoint are warning of threat actors that are using the death of Queen Elizabeth II as bait in phishing attacks.
The attackers aim at tricking recipients into visiting sites designed to steal their Microsoft account credentials and MFA codes.
The messages sent to the victims purported to be from Microsoft and invited recipients to an “artificial technology hub” in Queen Elizabeth II honor.
The content of the message informs the recipients that Microsoft is launching an interactive AI memory board in honor of Her Majesty Queen Elizabeth II and invites them to contribute to its creation by accessing it using their Microsoft account credentials
Upon clicking the button embedded within the email, the recipients are redirected to the phishing landing page where they’re asked to enter their Microsoft credentials.
The phishing page (hxxps://auth[.]royalqueenelizabeth[.]com/?) has been created with the recently discovered EvilProxy phishing kit.
The landing page is hxxps://auth[.]royalqueenelizabeth[.]com/?
EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however, now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms.
The first mention of EvilProxy was detected in early May 2022, this is when the actors running it released a demonstration video detailing how it could be used to deliver advanced phishing links with the intention to compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others.
EvilProxy uses the “Reverse Proxy” principle. The reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content which the user expects including login pages – it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.
Resecurity has acquired videos released by EvilProxy actors demonstrating how it can be used to steal the victim’s session and successfully go through Microsoft 2FA and Google e-mail services to gain access to the target account.
EvilProxy is offered on a subscription base, when the end user (a cybercriminal) chooses a service of interest to target (e.g., Facebook or Linkedin), the activation will be for a specific period of time (10, 20 or 31 days as per the description of the plan which was published by the actors on multiple Dark Web forums).
(SecurityAffairs – hacking, Queen Elizabeth II)