Lmst

🚨 #Phishing on Trusted Cloud Infrastructure: Google, Microsoft, Cloudflare.
We’re tracking a growing trend where phishing kit infrastructure is hosted on legitimate cloud and CDN platforms, not newly registered domains. In some cases, these campaigns specifically target enterprise users. This creates serious visibility challenges for security teams.

We’ve observed this pattern across multiple #phishkits:
🔹 #Tycoon hosted on alencure[.]blob[.]core[.]windows[.]net (Microsoft Azure Blob Storage): https://app.any.run/tasks/29b53d89-99b4-4827-b0af-72f315fdf529/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
⚠️ #Sneaky2FA hosted on legitimate cloud platforms, filtering out free email domains via a fake Microsoft 365 login to target corporate accounts:
firebasestorage[.]googleapis[.]com (Cloud Storage for Firebase): https://app.any.run/tasks/8189dd5e-0159-480d-8654-7b438a73f11e?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
cloudfront[.]net (AWS CloudFront): https://app.any.run/tasks/9a2d1537-e952-455e-bba0-b36f720a07e6/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
🔹 #EvilProxy hosted on sites[.]google[.]com (Google Sites): https://app.any.run/tasks/07995c22-6e7d-468b-ad94-29af75525ed3/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice

Victims see a “trusted” provider domain, while the network only sees normal HTML being loaded from cloud infrastructure. What looks clean at first glance is exposed by #ANYRUN Sandbox in under 60 seconds, directly reducing MTTD and MTTR.

Many security vendors will flag these domains as legitimate. Technically, they are. That’s why security teams need behavioral analysis and network-level signals to reliably uncover phishing before impact.

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=register#register
#ExploreWithANYRUN

#IOCs:
mphdvh[.]icu
kamitore[.]com
aircosspascual[.]com
Lustefea[.]my[.]id

#cybersecurity #infosec

@SteveBellovin :

(Microsoft) myth: 99.9% of phishing is prevented by using MFA

#phishing #PhaaS #Evilginx2 #EvilProxy #AitM #MitM

Zoomed in screenshot of hxxps://large-listening-838836.framer[.]app (this site is still live).

A fake login page for Luxembourg asking for:
1. user-ID
2. password
3. TOTP code

🪝 #EvilProxy is a #phishing kit that bypasses 2FA via a reverse-proxy architecture.

🌐 Attackers use it to target credentials of corporate Microsoft 365 users across different industries.

Learn about this threat & see analysis: https://any.run/malware-trends/evilproxy/?utm_source=mastodon&utm_medium=post&utm_campaign=evilproxy&utm_content=tracker&utm_term=230625

#cybersecurity #infosec

Global analysis of Adversary-in-the-Middle phishing threats
#EvilProxy #Storm_1167 #DadsecOTT #Rockstar2FA #Mamba2FA #Tycoon2FA #NakedPages #CEPHAS
https://blog.sekoia.io/global-analysis-of-adversary-in-the-middle-phishing-threats/

Phishing-as-a-service is an area that is increasing rapidly according to research by security vendor Barracuda Networks, which says it has detected a “massive spike” in PhaaS attacks in the first two months of this year.

https://www.computing.co.uk/news/2025/security/massive-spike-in-phishing-as-a-service-attacks-in-2025-research

#phishing #phaas #tycoon2fa #evilproxy #infosec #cybersecurity #barracuda #technews

Account Compromise Arms Race: The Rise of Phishing-as-a-Service
#EvilProxy #ONNXStore
https://abnormalsecurity.com/blog/account-compromise-phishing-as-a-service

🚨 ALERT: Fake #YouTube links redirect to #phishing pages
Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.

📌 The attackers are also abusing other services. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat.

Take a look at the example and gather #IOCs:
https://app.any.run/tasks/ace1b2b4-1c1a-4669-a3fc-231d473bc3b9/?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_term=090125&utm_content=linktoservice

👨‍💻 Use this search request to find more sandbox sessions and improve the precision and efficiency of your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_content=linktoti&utm_term=090125#%7B%2522query%2522:%2522commandLine:%255C%2522youtube.com%2525%255C%2522%2522,%2522dateRange%2522:180%7D

Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . zone

📝 Attributes
#Storm1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for #Tycoon 2FA #phishkit installed.
The technique of replacing userinfo is also employed by various other phishing kits, such as #Mamba 2FA and #EvilProxy.

🚀 Analyze and investigate the latest #malware and phishing threats with ANYRUN

Cybercriminals are using a new phishing technique called "EvilProxy" to steal your personal information! Stay safe online.

https://thehackernews.com/2023/10/cybercriminals-using-evilproxy-phishing.html?m=1

#cybersecurity #phishing #EvilProxy #cybercrime

This (or something similar) overlaid on your Tenancy Background image might help against #EvilProxy pages

https://medium.com/@martinconnarty/adversary-in-the-middle-detection-44dca2f79943

Phishing warning image that is an overlay for Azure tenancy backgrounds

"STOP!! If the URL doesn't start "login.microsoft.online.com/" Then you may be being phished"

EvilProxy, which was first documented by Resecurity in September 2022, acts as a reverse proxy between the target and a legitimate login page.

#Cybersecurity #ATM #Phishing #Cyberthreat #USA #EvilProxy

https://cybersec84.wordpress.com/2023/10/10/evilproxy-phishing-kit-targets-senior-executives-in-u-s-firms-new-threat-alert/

[Threatview.io] Checkout our latest collection of IOC for "SUSPECTED" #Evilproxy domains on #virustotal identified using our proactive hunter's domain telemetry.

https://www.virustotal.com/gui/collection/89f771cb44e65f287c7569fdac10fc3ad60a3f142a4251c2f45a994f98f51b58/summary

#phishing
#malware
#threatintel

#microsoft365 #phishing campaign leads to takeover of #MFA protected accounts via #EvilProxy

https://www.csoonline.com/article/649242/takeovers-of-mfa-protected-accounts-increase-as-microsoft-365-phishing-campaign-shows.html

#EvilProxy used in massive cloud account takeover scheme
https://securityaffairs.com/149348/hacking/cloud-account-takeover-scheme-evilproxy.html
#securityaffairs #hacking #phishing

@evaristegal0is #evilproxy strikes again. Script kiddies are running wild with this lately.

From the #EvilProxy Telegram channel:
It appears they're using https://auth.acme-dns.io/ as their way of generating subdomains.
"Hi friends, we have problem with add new domains in system bcs 3party website is down (https://auth.acme-dns.io) if some one has info what's wrong with it share pls. we are looking for tmp solution."

As of now the site is still down. Returning 404. @DomainTools shows a pDNS record from the acme resolved IP that uses the same subdomain pattern seen in EvilProxy phishing campaigns.

#ThreatIntel #ThreatHunting #DNS #OSINT

[Threatview.io] ⚡ Latest collection of #evilproxy domains on #virustotal as seen from our proactive hunter domain telemetry 👇

virustotal.com/gui/collection/1906094a8c4a7a9e55b5fecaecda9c68b2f7a2986db9d04c60236a0de92f8099

#Threatintel
#CTI
#Phishing
#DFIR
#cybersecurity