www.menlosecurity.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/
Submission: On October 05 via manual from IN — Scanned from DE
Submission: On October 05 via manual from IN — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.menlosecurity.com/
<form action="https://www.menlosecurity.com/" class="search-form" method="get" role="search"> <label> <span class="screen-reader-text">Search for:</span> <input type="text" title="Search for:" name="s" value="" id="s" placeholder="Search …"
class="search__field" autocomplete="off"> </label> <button type="submit" class="search__btn"> Search <i class="fas fa-search"></i> </button></form>GET https://www.menlosecurity.com/
<form action="https://www.menlosecurity.com/" class="search-form" method="get" role="search"> <label> <span class="screen-reader-text">Search for:</span> <input type="text" title="Search for:" name="s" value="" id="s" placeholder="Search …"
class="search__field" autocomplete="off"> </label> <button type="submit" class="search__btn"> Search <i class="fas fa-search"></i> </button></form><form id="mktoForm_2571" novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 3201px;" class="mktoForm mktoHasWidth mktoLayoutLeft">
<style type="text/css"></style>
<div class="mktoFormRow"><input type="hidden" name="UTM_Campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="contactUsType" id="LblcontactUsType" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Contact Us Type:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><select id="contactUsType" name="contactUsType" aria-labelledby="LblcontactUsType InstructcontactUsType" class="mktoField mktoHasWidth mktoRequired" aria-required="true"
style="width: 150px;">
<option value="">Contacting about...</option>
<option value="Sales">Sales/Demo/Pricing</option>
<option value="Partnership">Partnership/Channel</option>
<option value="Others">Others</option>
</select><span id="InstructcontactUsType" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email Address:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Last Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Company Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Company" name="Company" placeholder="Company Name" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructCompany" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Phone" id="LblPhone" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Phone Number:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Phone" name="Phone" placeholder="Phone Number" maxlength="255" aria-labelledby="LblPhone InstructPhone" type="tel"
class="mktoField mktoTelField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructPhone" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Title" id="LblTitle" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Job Title:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Title" name="Title" placeholder="Job Title" maxlength="255" aria-labelledby="LblTitle InstructTitle" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructTitle" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Country:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;">
<option value="">Select Country ...</option>
<option value="United States">United States </option>
<option value="Canada">Canada </option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Aland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antarctica">Antarctica</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia, Plurinational State of">Bolivia, Plurinational State of</option>
<option value="Bonaire, Sint Eustatius and Saba">Bonaire, Sint Eustatius and Saba</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territory">British Indian Ocean Territory</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo">Congo</option>
<option value="Congo, the Democratic Republic of the">Congo, the Democratic Republic of the</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote d'Ivoire">Cote d'Ivoire</option>
<option value="Croatia">Croatia</option>
<option value="Cuba">Cuba</option>
<option value="Curaçao">Curaçao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands (Malvinas)">Falkland Islands (Malvinas)</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Germany">Germany</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard Island and McDonald Islands">Heard Island and McDonald Islands</option>
<option value="Holy See (Vatican City State)">Holy See (Vatican City State)</option>
<option value="Honduras">Honduras</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea, Democratic People's Republic of">Korea, Democratic People's Republic of</option>
<option value="Korea, Republic of">Korea, Republic of</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao People's Democratic Republic">Lao People's Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libya">Libya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macao">Macao</option>
<option value="Macedonia, the former Yugoslav Republic of">Macedonia, the former Yugoslav Republic of</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Moldova, Republic of">Moldova, Republic of</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palestine">Palestine</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saint Barthélemy">Saint Barthélemy</option>
<option value="Saint Helena, Ascension and Tristan da Cunha">Saint Helena, Ascension and Tristan da Cunha</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Martin (French part)">Saint Martin (French part)</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten (Dutch part)">Sint Maarten (Dutch part)</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and the South Sandwich Islands">South Georgia and the South Sandwich Islands</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Sudan">Sudan</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen">Svalbard and Jan Mayen</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Syrian Arab Republic">Syrian Arab Republic</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania, United Republic of">Tanzania, United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela, Bolivarian Republic of">Venezuela, Bolivarian Republic of</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Virgin Islands, British">Virgin Islands, British</option>
<option value="Wallis and Futuna">Wallis and Futuna</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderState"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="MktoPersonNotes" id="LblMktoPersonNotes" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Person Notes:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><textarea id="MktoPersonNotes" name="MktoPersonNotes" rows="2" aria-labelledby="LblMktoPersonNotes InstructMktoPersonNotes" class="mktoField mktoHasWidth" maxlength="32000"
style="width: 150px;"></textarea><span id="InstructMktoPersonNotes" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Contact Us</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="2571"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="281-OWV-899">
</form><form novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" class="mktoForm mktoHasWidth mktoLayoutLeft"></form>Text Content
Menlo Security Cloud Security Platform is FedRAMP® Authorized
Learn more
Search for: Search
Most Searched
* Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to
cybersecurity
* Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to
mask its behavior
* U.S. Department of Defense (DoD) leads the industry with cloud-based Internet
isolation program
* Increase In Drive-by Attack: SocGholish Malware Downloads
* ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
* Why Menlo
Back
Why Menlo
WHY MENLO
Traditional security approaches are flawed, costly, and overwhelming for
security teams. Menlo Security is different. It’s the simplest, most
definitive way to secure work—making online threats irrelevant to your users
and your business.
Why Menlo
Video
Spending more and losing more: Solving the modern cybersecurity conundrum
MOVING TO THE CLOUD
* Switch from Bluecoat
* Switch from Forcepoint
WARRANTY
* Stop ransomware in its tracks
USE CASES
* Secure web browsing
* Secure application access
* Threat intelligence
* Implement Zero Trust
* VDI replacement
* Secure generative AI
* Products
Back
Products
MEET THE CLOUD-NATIVE MENLO SECURITY PLATFORM
Our platform invisibly protects users wherever they go online. So threats are
history and the alert storm is over.
Explore platform
eBook
Anatomy of highly evasive threats: 4 ways threat actors are getting past your
security stack
PRODUCTS
* Products Overview
* HEAT Shield
* HEAT Visibility
* Secure Web Gateway
* Remote Browser Isolation
* Email Isolation
* CASB
* DLP
* Menlo Private Access
* Cloud Firewall
* Isolation Security Operations Center
PLATFORM
* Platform Overview
CUSTOMER SUCCESS
* Customers
* Customer Support
* Training & Certification
* Report a Vulnerability
* Solutions
Back
Solutions
NEED TO IMPLEMENT SASE, ASAP?
Traditional network security wasn’t built to address today’s complex
enterprise environments. SASE fixes that problem.
Learn more
eBook
Hiding in plain sight: Examples and analysis of highly evasive threat
campaigns
SOLUTIONS
* Solutions Overview
* Eliminate phishing
* Seamless ransomware prevention
* Gain visibility & control over data loss
* Control access to SaaS applications
* Implement Secure Access Service Edge (SASE)
* Secure access to private applications
* Secure Microsoft 365 & Google Workspace
* Secure remote work
* Mobile malware prevention
* Virtual network separation
* Neutralize malicious document downloads
* Migrate on-premise proxy to Cloud SWG
INDUSTRIES
* US Federal
* State & Local Government
* Finance
* Education
* Resources
Back
Resources
THREAT INTELLIGENCE IS ON TAP AT MENLO LABS
Menlo Labs provides insights, expertise, context and tools to aid customers
on their journey to connect, communicate and collaborate securely without
compromise. The collective is made up of elite security researchers that put
a spotlight on the threats you know and don’t know about.
Learn More
Buyer's Guide
The Ultimate Buyer’s Guide: Zero Trust Network Access
RESOURCE LIBRARY
* All Resources
* White Papers
* Data Sheets
* Solution Briefs
* Case Studies / Customer Stories
* eBooks
* Reports
* Videos
* Infographics
EVENTS & WEBINARS
* Live Events and Webinars
* On-Demand Webinars
BLOG
* Blog Home
MENLO LABS
* Menlo Labs
WHAT IS…
* HEAT Attacks
* Remote Browser Isolation
* Zero Trust
* Cybersecurity Glossary
DEMO
* Product Demo
* About
Back
About
THREAT INTELLIGENCE IS ON TAP AT MENLO LABS
Menlo Labs provides insights, expertise, context and tools to aid customers
on their journey to connect, communicate and collaborate securely without
compromise.
Learn more
COMPANY
* About Us
* Management Team
* Board of Directors
* Investors
* Customers
* Partners
* Technology Partners
* Compliance
* Contact Us
NEWSROOM
* News
* Press Releases
* Blogs
CAREERS
* Life at Menlo
* Job Openings
* Demo
EN日本語한국어
* * Support Portal
* Report a Vulnerability
* Training & Certification
*
Search for: Search
Most Searched
* Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to
cybersecurity
* Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to
mask its behavior
* U.S. Department of Defense (DoD) leads the industry with cloud-based Internet
isolation program
* Increase In Drive-by Attack: SocGholish Malware Downloads
* ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
Back to blog
EVILPROXY PHISHING ATTACK STRIKES INDEED
Ravisankar Ramprasad | Oct 03, 2023
Share this article
*
*
*
*
EXECUTIVE SUMMARY
Menlo Labs recently identified a phishing campaign targeting executives in
senior level roles across various industries, but primarily Banking and
Financial services, Insurance providers, Property Management and Real Estate,
and Manufacturing.
The key findings based on our research of the phishing campaign are as follows:
* The campaign started in July and has continued into the month of August.
* The campaign used a sophisticated phishing kit called ‘EvilProxy’ which acts
as a reverse proxy intercepting the requests between the client and the
legitimate site.
* ‘EvilProxy’ possesses the ability to harvest session cookies thereby
bypassing non-phishing resistant MFA.
* The campaign was seen primarily targeting US based organizations.
* The threat actors leveraged an open redirection vulnerability on the job
search platform “indeed.com”, redirecting victims to malicious phishing pages
impersonating Microsoft.
This is a classic example of AiTM (Adversary In The Middle) phishing attack by
harvesting session cookies enabling threat actors to bypass MFA protections.
THREAT INTELLIGENCE
In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing
attack that involved an open redirection in the ‘indeed.com’ website redirecting
victims to a phishing page impersonating Microsoft. Consequently, this makes an
unsuspecting victim believe the redirection resulted from a trusted source such
as ‘indeed.com’.
Illustration 1: Sample of the phishing mail
The threat actors were found to deploy the phishing pages using the
phishing-as-a-service platform named ‘EvilProxy’. The service is advertised and
sold on the dark web as a subscription-based offering with the plan validity
ranging between 10 days, 20 days, and 31 days. One of the actors, known by the
handle ‘John_Malkovich’, plays the role of an administrator and intermediary
assisting customers who have purchased the service.
The campaign targeted C-suite employees and other key executives across
organizations based in the United States across various sectors.
The chart below depicts the various sectors targeted by the campaign.
Illustration 2: Distribution of the verticals targeted
This data was collated with the help of intelligence gathered through URLScan,
Phishtank, and VirusTotal feeds.
INFECTION VECTOR
The infection vector was a phishing email delivered with a link that is
deceptively crafted in such a way that it comes from a trusted source, in this
case ‘indeed.com’. Upon clicking the link the victim is redirected to a fake
Microsoft Online login page.
ATTACK KILL CHAIN
The depiction of the attack kill chain with the step-by-step breakdown is shown
below.
Illustration 3: Attack chain representation
* Victim receives the phishing mail containing the Indeed link.
* The unsuspecting victim clicks on the indeed link inside the mail which
redirects the victim to the fake Microsoft login page.
* This phishing page is deployed with the help of the EvilProxy phishing
framework fetching all the content dynamically from the legitimate login
site.
* The phishing site acts as a reverse proxy, proxying the request to the actual
website.
* The attacker intercepts the legitimate server’s requests & responses
* The attacker is able to steal the session cookies.
* The stolen cookies can then be used to login to the legitimate Microsoft
Online site, impersonating the victims & bypassing non-phishing resistant MFA
TECHNICAL DETAILS
WHAT IS OPEN REDIRECTION VULNERABILITY?
Open redirection happens when an application (by design or unintentionally)
causes redirection to an untrusted external domain. This flaw can be utilized to
exploit the trustability of the redirecting source to ultimately redirect the
victim to a phishing site or a compromised site serving malware.
In this specific attack, the user clicks on a URL believing that they are being
directed to indeed.com or another of its subdomains. The subdomain
‘t.indeed.com’ is supplied with parameters to redirect the client to another
target (example.com) as shown in the example below. The parameters in the URL
that follow the “?” are a combination of parameters unique to indeed.com and the
target parameter whose argument consists of the destination URL. Hence the user
upon clicking the URL ends up getting redirected to example.com. In an actual
attack, the user would be redirected to a phishing page.
The HTTP header request and responses show the redirection chain caused by the
vulnerability.
Illustration 4: Explaining open redirection with youtube.com as the target URL
as an example
Illustration 5: Screenshot of the phishing page
The threat actors employed the EvilProxy phishing kit which acts as a reverse
proxy, performing an adversary in the middle attack by stealing user session
cookies thereby helping to circumvent 2 factor authentication successfully
bypassing MFA.
ATTACKER INFRASTRUCTURE
The phishing redirection chain consists of 3 parts:
* The Phishing Link received by victim
* The Redirector URL
* The Phishing Page
The diagram below shows the redirection chain in this specific attack.
Illustration 6: Phishing Redirection Chain
PHISHING PAGE TECHNICAL DESCRIPTION
The phishing pages have been noticed to have the subdomain ‘lmo.’ and have
specifically impersonated the Microsoft Online login page. The phishing pages
were found to be hosted on nginx servers capable of acting as a reverse proxy.
The reverse proxy fetches all the content that can be dynamically generated like
the login pages and then acts as the adversary in the middle by intercepting the
requests and responses between the victim and the legitimate site. This helps in
harvesting the session cookies and this tactic can be attributed to the usage of
EvilProxy Phishing kit.
EVILPROXY ATTRIBUTION
Artifacts observed which can be attributed to EvilProxy usage:
* From Shodan, URLScan these domains can be found to be hosted on Nginx
servers.
* The phishing pages hosted resources containing common uri paths, listed
below, which can be used to identify them.
* 1) /ests/2.1/content/
* 2) /shared/1.0/content/
* 3) /officehub/bundles/
* The phishing kit makes use of Microsoft’s Ajax CDN to help with dynamic
fetching and rendering of javascript content. On hunting for these specific
strings in the uri paths, we can observe them in IDS signatures built to
detect EvilProxy uri content.
* One of the POST requests observed contains the victims’ email address (Base64
encoded in some cases) and Session identifier. This is also a unique piece of
artifact that is seen with the EvilProxy phishing kit usage. IDS rule match
for the same shown below.
* Example of POST request:
https://lmo[.]bartmfil[.]com/?c29tZW9uZUBzb21lb25lLm9yZw==&session=e6ec0fe49fbfb31608198b22eaa2d00fe6ec0fe49fbfb31608198b22eaa2d00f&sso_reload=true
* Another piece of code observed was the usage of the open source FingerprintJS
library for browser fingerprinting. Domblockers module has been extensively
used to identify particular elements that are being blocked by the browser.
https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/dom_blockers.ts
* Look for IP addresses with a 407 Proxy Authentication Required client error
status code.
* Another way is to look for sites with 444 status code which is a standard
Nginx server response.Sites having nginx server running in the backend with
subdomains like (lmo., auth., live.,login-live.,mso.*)
MENLO PROTECTION
Menlo observed this campaign across one of our customers and we were able to
successfully eliminate this threat by virtue of our HEAT Shield. HEAT Shield was
able to detect and prevent this phishing attempt on the fly by virtue of its
real time analysis feature. HEAT Shield was able to successfully detect the
phishing site by leveraging AI-based detection models to analyze the rendered
web page way before the URL reputation services and other security vendors
flagged this page for malicious behavior. HEAT Shield also generates the Zero
Hour Phishing Detection alerts in the process which help provide greater
visibility to the SOC analysts by providing them with context of the threat and
enriched data that will adequately support their research.
HEAT Shield protects users from credential harvesting and account compromise by
cutting off the attack vector from the initial access stage (MITRE ATT&CK
framework) and redefines the way security is implemented by enforcing a
proactive approach to deal with such highly evasive threats. This rapidly
evolving threat landscape makes it imperative for us to stay one step ahead and
invest in Zero trust by design.
CONCLUSION
In light of the intelligence gathered and analysis performed from various
sources, we can state with confidence that the threat actors have been using the
‘EvilProxy’ phishing kit and specifically exploiting the open redirection
vulnerability in the ‘indeed.com’ application to impersonate the Microsoft
Online page for credential phishing and account compromise.
Account compromise only forms the preliminary stages of an attack chain that
could possibly end up in a Business Email Compromise where the potential impact
could range from identity theft, intellectual property theft and massive
financial losses.
There is a high probability that we can see a surge in the usage of ‘EvilProxy’.
Firstly, it is easy to use with a simple interface with tutorials and
documentation easily available on the dark web. The ability to circumvent MFA
makes this a powerful tool in the arsenal for cybercriminals.
RECOMMENDATIONS
1. Educate users through awareness sessions and training.
2. Usage of phishing resistant MFA like FIDO based authentication like
Yubikeys.
3. Ensure to verify whether the target URLs are also as legitimate as the
source instead of assuming them to be safe.
4. Use session isolation solutions like HEAT Shield that will protect the users
from zero hour phishing attacks in real time.
RESPONSIBLE DISCLOSURE
Menlo Labs have reached out to Indeed.com informing them of the existence of the
open redirect vulnerability and its active exploitation out in the wild. They
have been informed about the criticality and severity that this threat poses.
IOCS
DOMAINS
lmo[.]roxylvfuco[.]com[.]au
lmo[.]bartmfil[.]com
lmo[.]triperlid[.]com
roxylvfuco[.]com[.]au
earthscigrovp[.]com[.]au
mscr.earthscigrovp[.]com[.]au
vfuco.com[.]au
catalogsumut[.]com
ivonnesart[.]com
sheridanwyolibrary[.]org
IPS
199.204.248.121
193.239.85.29
212.224.107.74
206.189.190.128
116.90.49.27
85.187.128.19
202.139.238.230
REFERENCES
https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
https://www.proofpoint.com/us/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level
https://learn.microsoft.com/en-us/aspnet/ajax/cdn/overview
http://www.boredhackerblog.info/2022/11/looking-for-evilproxy-notes.html
https://www.darkreading.com/vulnerabilities-threats/evilproxy-commodifies-reverse-proxy-tactic-phishing-bypassing-2fa
https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
Posted by Ravisankar Ramprasad on Oct 03, 2023
Tagged with Awareness, HEAT, Menlo Labs, RBI, Threat Trends, Web Security
Share this article
*
*
*
*
RELATED ARTICLES
Threat Trends & Research
UNMASKING COMMON WEB BROWSER VULNERABILITIES TARGETED BY ATTACKERS
Threat Trends & Research
BROWSER EXTENSIONS: A HIDDEN GATEWAY FOR CYBERCRIMINALS
Threat Trends & Research
BROWSING BLIND: UNDERSTANDING THE DANGERS OF LIMITED BROWSER VISIBILITY
Threat Trends & Research
BROWSING BLIND: UNDERSTANDING THE DANGERS OF LIMITED BROWSER VISIBILITY
Threat Trends & Research
UNMASKING COMMON WEB BROWSER VULNERABILITIES TARGETED BY ATTACKERS
Threat Trends & Research
BROWSER EXTENSIONS: A HIDDEN GATEWAY FOR CYBERCRIMINALS
Threat Trends & Research
BROWSING BLIND: UNDERSTANDING THE DANGERS OF LIMITED BROWSER VISIBILITY
Threat Trends & Research
UNMASKING COMMON WEB BROWSER VULNERABILITIES TARGETED BY ATTACKERS
See more resources
MAKE THE SECURE WAY TO WORK THE ONLY WAY TO WORK.
To talk to a Menlo Security expert, please complete the form.
Try Menlo Free
*
Contact Us Type:
Contacting about...Sales/Demo/PricingPartnership/ChannelOthers
*
Email Address:
*
First Name:
*
Last Name:
*
Company Name:
*
Phone Number:
*
Job Title:
*
Country:
Select Country ...United States Canada AfghanistanAland
IslandsAlbaniaAlgeriaAndorraAngolaAnguillaAntarcticaAntigua and
BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia,
Plurinational State ofBonaire, Sint Eustatius and SabaBosnia and
HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei
DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman
IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling)
IslandsColombiaComorosCongoCongo, the Democratic Republic of theCook
IslandsCosta RicaCote d'IvoireCroatiaCubaCuraçaoCyprusCzech
RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl
SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe
IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern
TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard
Island and McDonald IslandsHoly See (Vatican City
State)HondurasHungaryIcelandIndiaIndonesiaIran, Islamic Republic
ofIraqIrelandIsle of
ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Democratic
People's Republic ofKorea, Republic ofKuwaitKyrgyzstanLao People's Democratic
RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia,
the former Yugoslav Republic
ofMadagascarMalawiMalaysiaMaldivesMaliMaltaMartiniqueMauritaniaMauritiusMayotteMexicoMoldova,
Republic
ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew
CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk
IslandNorwayOmanPakistanPalestinePanamaPapua New
GuineaParaguayPeruPhilippinesPitcairnPolandPortugalQatarReunionRomaniaRussian
FederationRwandaSaint BarthélemySaint Helena, Ascension and Tristan da
CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and
MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and
PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten
(Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and
the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan
MayenSwazilandSwedenSwitzerlandSyrian Arab RepublicTaiwanTajikistanTanzania,
United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and
TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited
Arab EmiratesUnited KingdomUruguayUzbekistanVanuatuVenezuela, Bolivarian
Republic ofViet NamVirgin Islands, BritishWallis and FutunaWestern
SaharaYemenZambiaZimbabwe
*
Person Notes:
Contact Us
POPULAR RESOURCES
* Why Menlo
* Menlo Security Platform
* Products
* Solutions
* Menlo Labs
* Resources
* Blog
COMPANY
* About Us
* Leadership
* Customers
* Technology Partners
* Life at Menlo
* Careers
* Contact
SUPPORT
* Support Portal
* Report a Vulnerability
* Training & Certification
© 2023 Menlo Security. All rights reserved.
* Privacy Policy
* Compliance
* EULA
* ask@menlosecurity.com
* (650) 695-0695
* Your Privacy Choices
*
*
*
*
*
EN日本語한국어
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Accept All Cookies
Cookies Settings
PRIVACY PREFERENCE CENTER
* YOUR PRIVACY
* FUNCTIONAL COOKIES
* PERFORMANCE COOKIES
* TARGETING COOKIES
* STRICTLY NECESSARY COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All