From in-depth research of individuals and their interpersonal relations to the use of incredibly convincing
            spoofed  social  media  profiles,  threat  actors  are  pulling  out  all  the  stops  as  they  attempt  to  trick
            unsuspecting  victims  into  clicking  malicious  links.  We  have  heard  recent  accounts  of  cybercriminals
            dropping  malicious  links  into  zoom  calls,  while  others  are  actively  exploring  the  use  of  deepfake
            technologies, for example.

            As a result, it is becoming harder and harder to discern attacks from genuine digital interactions, as has
            been demonstrated in another recent phishing campaign uncovered by the Menlo Labs team.



            Analysing the Indeed. com attack chain

            In July 2023, Menlo Security’s HEAT Shield detected and blocked a novel phishing attack that attempted
            to  redirect  unsuspecting  users  of  the  popular  job  listing  site  ‘Indeed.com’  to  a  phishing  page
            impersonating Microsoft.

            The attack chain began with victims receiving a phishing email that was delivered via a link that had been
            deceptively crafted to make the victim believe it had come from Indeed.com. Victims would then click on
            a link which would redirect them to a fake Microsoft Online login page where they were asked to enter
            their credentials.

            The  tactic  that  this campaign  tapped  into  is  known  as open  redirection,  where an  application  either
            intentionally or unintentionally redirects users to an untrusted external domain. In this sense, threat actors
            were exploiting the highly trusted nature of ‘Indeed.com’ while redirecting targeted victims to a phishing
            site.

            Critically, the spoofed page was deployed using a sophisticated phishing kit known as EvilProxy that can
            fetch content dynamically, doing so from the legitimate login site. The phishing site then acts as a reverse
            proxy, proxying the request to the actual website and enabling the attacker to intercept the legitimate
            server’s requests and responses.

            With EvilProxy, the attacker is also able to steal session cookies, which can then be used to log in to the
            legitimate Microsoft Online site, impersonating the victims and bypassing non-phishing resistant multi-
            factor authentication (MFA) policies.



            Combatting modern phishing threats

            This attack chain is a prime example of an Adversary In The Middle (AiTM) phishing attack, harvesting
            session cookies to enable threat actors to bypass MFA protections.

            In this instance, the Menlo Labs team saw that the threat actors largely focused on targeting executives
            in  senior  level  roles  across  industries,  such  as  banking  and  financial  services,  insurance  providers,
            property management and real estate, and manufacturing. However, given that similar AiTM threats could







            Cyber Defense eMagazine – December 2023 Edition                                                                                                                                                                                                          56
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.