EvilProxy

EvilProxy is a phishing-as-a-service (PhaaS) platform/operator associated with large-scale phishing activity and, more recently, device code phishing targeting Microsoft 365 accounts. Reporting cited in the content places EvilProxy among criminal phishing services rather than a nation-state actor. It has been identified alongside other phishing kits and operators such as Mamba 2FA, Sneaky 2FA, Tycoon 2FA, and groups using the Kali 365 toolkit, and Microsoft content referenced a developing cluster as 'Storm-0835 Group in development EvilProxy.' The content states that EvilProxy operators have integrated device code phishing into their operations. In these campaigns, victims are lured into entering attacker-supplied device codes on legitimate Microsoft authentication pages, allowing the attackers to obtain authentication tokens and potentially persistent access to Microsoft 365 accounts. Proofpoint reporting cited in the content says this technique is difficult to detect because it uses legitimate Microsoft infrastructure and domains. EvilProxy is also described as benefiting from disruption to Tycoon 2FA. Barracuda and Dark Reading reporting in the content say EvilProxy was one of the platforms that gained activity and market share after the Tycoon 2FA takedown, with monthly attacks reportedly increasing from just under 3 million to just over 4 million. Barracuda further assessed that Tycoon 2FA tools, code, and techniques have migrated to or been reused by competing kits including EvilProxy, and that competing kits have improved their features and infrastructure maturity using tooling formerly associated with Tycoon 2FA.