How EvilProxy Uses Indeed.com to Phish Microsoft 365 Users
Phishing is a type of cyberattack that involves sending fraudulent emails or other messages that appear to come from legitimate sources, such as banks, social media platforms, or job portals. The goal of phishing is to trick the recipients into clicking on malicious links or attachments, or providing sensitive information, such as passwords, credit card numbers, or personal details.
One of the most common targets of phishing attacks is Microsoft 365, a cloud-based suite of productivity and collaboration tools that includes Outlook, Word, Excel, PowerPoint, Teams, and OneDrive. Microsoft 365 has over 300 million active users worldwide, making it an attractive target for cybercriminals who want to steal credentials, data, or money from unsuspecting users.
One of the latest phishing campaigns that targets Microsoft 365 users is called EvilProxy. This campaign uses an open redirect vulnerability in Indeed.com, a popular job search website, to redirect users to a fake Microsoft login page. The attackers use this technique to bypass email security filters and deceive users into thinking that they are accessing a legitimate website.
What is an open redirect vulnerability?
An open redirect vulnerability is a flaw in a web application that allows an attacker to redirect users to any arbitrary URL by modifying the parameters of a legitimate URL. For example, suppose that Indeed.com has a URL like this:
This URL will show the results for software engineer jobs in New York. However, if an attacker adds another parameter called
redirect with a malicious URL as its value, like this:
Then the user who clicks on this modified URL will be redirected to
https://evil.com, which could be a phishing site or a malware download site. This is an example of an open redirect vulnerability, because Indeed.com does not validate or restrict the value of the
An open redirect vulnerability can be exploited by attackers to perform phishing attacks, because they can use legitimate domains as a cover for their malicious URLs. For example, if an attacker sends an email with a subject line like “You have been selected for an interview” and a link like this:
Then the user who clicks on this link will see Indeed.com in the address bar, but will be redirected to a fake Microsoft login page. The user may not notice the redirection and may enter their Microsoft 365 credentials on the fake page, giving the attacker access to their account.
How does EvilProxy work?
EvilProxy is a phishing campaign that uses an open redirect vulnerability in Indeed.com to target Microsoft 365 users. The campaign was discovered by researchers from Abnormal Security, who observed that the attackers sent out thousands of phishing emails with different subject lines and sender names, but with the same format and content.
The phishing emails claim that the recipient has been selected for an interview by a company called “Aerotek”, which is a real staffing agency. The email contains a link that supposedly leads to an online interview portal, where the recipient can schedule their interview and upload their resume. However, the link is actually a modified Indeed.com URL with an open redirect parameter that points to a fake Microsoft login page.
The fake login page looks identical to the real one, except for some minor differences in the URL and the logo. The page asks the user to enter their email address and password, and then redirects them to another fake page that asks for their phone number and verification code. The verification code is supposed to be sent by SMS or phone call, but it is actually generated by the attackers using an online service called Twilio.
The attackers use Twilio to send SMS or make phone calls to the victims, pretending to be Microsoft. They ask the victims to enter the verification code on the fake page, which allows them to bypass the two-factor authentication (2FA) mechanism of Microsoft 365. Once they have the verification code, they can access the victim’s Microsoft 365 account and perform various malicious activities, such as stealing data, sending spam emails, or installing malware.
How can you protect yourself from EvilProxy?
EvilProxy is a sophisticated phishing campaign that exploits an open redirect vulnerability in Indeed.com and uses Twilio to bypass 2FA. However, there are some steps that you can take to protect yourself from falling victim to this campaign or similar ones:
- Be wary of unsolicited emails that claim to offer you job opportunities or interviews. Do not click on any links or attachments without verifying their authenticity.
- Check the URL of any website that asks you to log in with your Microsoft 365 credentials. Make sure that the domain name is
microsoftonline.com, and that the URL starts with
https://. Do not enter your credentials on any website that has a different domain name or a suspicious URL.
- Enable 2FA on your Microsoft 365 account and use a strong and unique password. 2FA adds an extra layer of security to your account by requiring you to enter a verification code or use a biometric device, such as a fingerprint scanner, in addition to your password. However, 2FA is not foolproof, as EvilProxy shows. Therefore, you should also use a strong and unique password that is different from your other accounts and that is not easy to guess or crack.
- Use a reputable antivirus software and keep it updated. Antivirus software can help you detect and remove any malware that may be installed on your device by phishing emails or websites. You should also keep your antivirus software updated with the latest security patches and definitions.
Best practices for two-factor authentication
Two-factor authentication (2FA) is a security feature that requires you to provide two pieces of evidence to verify your identity when you log in to an online account. The two pieces of evidence are usually something you know, such as a password, and something you have, such as a phone or a token. 2FA can help you prevent unauthorized access to your account, even if someone steals or guesses your password.
However, 2FA is not perfect, and it can be bypassed by some phishing techniques, such as EvilProxy. Therefore, you should follow some best practices to make 2FA more effective and secure:
- Choose a reliable 2FA method. There are different types of 2FA methods, such as SMS, phone call, email, app, or hardware token. Some of these methods are more secure than others, depending on how they generate and deliver the verification code. For example, SMS and phone call are vulnerable to interception or spoofing by attackers, while app and hardware token are more resistant to these attacks. You should choose a 2FA method that suits your needs and preferences, but also provides a high level of security.
- Use different 2FA methods for different accounts. If you use the same 2FA method for all your accounts, you may increase the risk of compromising them all if one of them is breached. For example, if you use SMS as your 2FA method for both your Microsoft 365 account and your bank account, and an attacker manages to intercept or spoof your SMS messages, they may be able to access both accounts. You should use different 2FA methods for different accounts, especially for those that contain sensitive or valuable information.
- Do not share your verification code with anyone. The verification code that you receive from 2FA is meant to be used only by you and only for the specific login attempt that triggered it. You should never share your verification code with anyone, even if they claim to be from the service provider or the support team. You should also never enter your verification code on any website other than the one that requested it. If you receive an unexpected verification code or a request to share it, you should ignore it and report it to the service provider.
- Review your 2FA settings regularly. You should check your 2FA settings periodically and make sure that they are up to date and accurate. You should also review your login history and activity logs and look for any suspicious or unusual events, such as failed login attempts, unknown devices, or location changes. If you notice any anomalies or errors, you should change your password and contact the service provider immediately.