Proofpoint exposes extent of cloud account takeover phishing campaign targeting C-level execs

Security Published 8th September 2023

Researchers at Proofpoint have detected ‘a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies’ over the last six months. The attackers made use of a ‘reverse proxy’ phishing tool called EvilProxy, and advanced account takeover methods to overcome multifactor authentication protection.


► Sophisticated hybrid attacks can bypass MFA

► Variety of techniques uses to gain access to cloud accounts


The ongoing hybrid campaign targeted thousands of Microsoft 365 user accounts with approximately 120,000 phishing emails sent to hundreds of targeted organisations across the globe between March and June 2023.

Proofpoint exposes extent of cloud account takeover phishing campaign targeting C-level execs

During the phishing stage of the attack, attackers employed several noteworthy techniques, including brand impersonation, scan blocking, and a multi-step infection chain that hijacked legitimate redirects.

In the blog detailing the attack, Proofpoint notes that ‘even MFA is not a silver bullet against sophisticated threats and could be bypassed by various forms of combined email-to-cloud attacks.’

It also noted that reverse proxy threats (and EvilProxy in particular) are now ‘out-competing’ the less capable phishing methods and are being used much more by cybercriminals as part of hybrid attacks. While the initial threat arrives via email, the end goal is to compromise and exploit valuable cloud user accounts, assets, and data. Once they have gained access to a ‘VIP’ user account, attackers will then seek to establish persistence and, finally, exploit their unauthorised access.

According to Proofpoint, they will even study the culture, hierarchy, and processes of the target organisations to improve the success rates of financial fraud, data exfiltration or performing Hacking-as-a-Service (HaaS) transactions, where they will sell access to compromised user accounts.

Proofpoint’s key recommendations for safeguarding against similar advanced hybrid (email-cloud) threats are to use a combination of email, cloud and web security and security awareness training. It also said that organisations should consider using FIDO (Fast IDentity Online)-based physical security keys.

TD SYNNEX Security Solutions can provide the full range of Proofpoint solutions and services plus expert advice, training and support on how to protect your customers from cybersecurity threats of all kinds. If you would like to know more about Proofpoint or discuss building your own cybersecurity practice, please click the button below to make contact with our team.

Contact The Team