How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing
German critical industries are facing coordinated, highly targeted phishing campaigns utilizing Phishing-as-a-Service platforms like EvilProxy and FlowerStorm. These attacks leverage Adversary-in-the-Middle (AitM) techniques to intercept session cookies, effectively bypassing traditional Multi-Factor Authentication (MFA) to compromise Microsoft 365 and Okta accounts.
Source:
ANY.RUN
- domaingooglmicrozonfaceb0xfileshar3instacloud0fftkdoctormedixxqqw[[.]]digitalMain EvilProxy phishing domain reverse-proxying the legitimate Microsoft login page.
- domainjewbreats[[.]]orgExfiltration domain receiving stolen credentials via unencrypted POST requests.
- domainlarozada[[.]]comCompromised WordPress site hosting a Cloudflare Turnstile CAPTCHA for an EvilProxy attack chain.
- domainnoncrappyandroidapps[[.]]comAnti-bot verification step domain used in the Teams voice message phishing chain.
- domainogbarberschool[[.]]comPrimary phishing page mimicking a Microsoft Outlook login.
- domainsaicares[.]com[.]auCompromised WordPress site used as an intermediate redirect in a healthcare-targeted attack.
- domainsignin[[.]]securedocsportal[.]comPhishing domain crafted to resemble a secure document signing portal.
- domainteams-ms365[[.]]cloudPhishing domain mimicking Microsoft Teams infrastructure.
- domainvoicbx[[.]]comRedirect service mimicking a Microsoft Teams voice notification interface.
- urlportfolio-hrpcjqg[.]format.com/galleryLegitimate portfolio hosting platform abused as the initial URL to bypass reputation filters.
Key Takeaways
- Identity is the new perimeter; attackers are bypassing MFA using session interception and reverse proxy tools like EvilProxy and EvilGinx2.
- Phishing lures are highly contextualized to specific industries (e.g., salary updates for finance, Teams voice messages for manufacturing).
- Attackers abuse legitimate services (Mailchimp, Amazon SES, Cloudflare Workers, ArDrive) to bypass reputation-based email and web filters.
- Phishing-as-a-Service (PhaaS) platforms have democratized sophisticated Adversary-in-the-Middle (AitM) attacks, making them accessible to a broader range of threat actors.
Affected Systems
- Microsoft 365
- Microsoft Teams
- Microsoft Outlook
- Okta
Attack Chain
The attacks typically begin with highly contextualized spearphishing emails, often utilizing legitimate delivery infrastructure like Amazon SES or Mailchimp to bypass reputation filters. Victims are directed through a series of intermediate redirects, including compromised WordPress sites and CAPTCHA challenges (e.g., Cloudflare Turnstile) to evade automated analysis. The final stage involves an Adversary-in-the-Middle (AitM) reverse proxy, such as EvilProxy or EvilGinx2, which mimics Microsoft 365 or Okta login pages. Once the user authenticates and passes MFA, the proxy intercepts the session cookie, granting the attacker immediate, unauthenticated access to the victim's account.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: Yes
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Suricata
The article notes that Suricata network rules successfully flagged suspicious unencrypted POST requests transmitting email addresses during the credential exfiltration phase.
Detection Engineering Assessment
EDR Visibility: Low — The attacks primarily occur in the cloud and browser via session hijacking, leaving a minimal footprint on the local endpoint until post-compromise actions are taken. Network Visibility: High — Network monitoring can detect anomalous redirects, CAPTCHA challenges from unexpected domains, and unencrypted POST requests containing sensitive data. Detection Difficulty: Hard — Attackers use legitimate services (Mailchimp, AWS SES, Cloudflare) and CAPTCHAs to evade automated scanners, and AitM proxies make the authentication flow look legitimate to the identity provider.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Cloud Identity/Azure AD Sign-in Logs
- Email Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for successful Azure AD/Microsoft 365 sign-ins originating from unusual IP addresses or ASNs immediately following an MFA challenge, which may indicate a hijacked session cookie being replayed. | Cloud Identity Logs | Credential Access | Medium |
| Search web proxy logs for traffic to known CAPTCHA providers (e.g., Cloudflare Turnstile) immediately followed by connections to newly registered or uncategorized domains, indicating potential AitM phishing gateways. | Web Proxy Logs | Initial Access | Medium |
| Monitor network traffic for unencrypted HTTP POST requests containing email addresses or base64 encoded email strings, which may indicate credential exfiltration to attacker-controlled infrastructure. | Network Traffic | Credential Access | Low |
Control Gaps
- Traditional MFA (SMS/App Prompts)
- Reputation-based Email Filtering
- Automated URL Sandboxing
Key Behavioral Indicators
- Base64 encoded email addresses in URL fragments
- Unexpected Cloudflare Turnstile CAPTCHAs
- OAuth state parameters containing plaintext emails
- Redirects through decentralized storage (e.g., ArDrive)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Implement FIDO2 hardware keys or other phishing-resistant MFA methods.
- Block known malicious domains and IP addresses identified in the IOCs.
- Revoke active sessions for any users suspected of interacting with the phishing links.
Infrastructure Hardening
- Implement Zero Trust session validation and continuous access evaluation.
- Restrict access to Microsoft 365 from unmanaged devices or unexpected geolocations.
- Integrate Threat Intelligence feeds into SIEM and email gateways for early detection.
User Protection
- Deploy endpoint security tools capable of inspecting browser traffic for AitM proxy behavior.
- Enhance email filtering to analyze QR codes in attachments and inspect URLs behind legitimate redirectors (e.g., Mailchimp).
Security Awareness
- Train employees to recognize contextualized phishing lures, such as fake Teams voice messages or HR salary updates.
- Educate users on the risks of scanning QR codes from corporate emails on personal devices.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1111 - Two-Factor Authentication Interception
- T1550.004 - Use Alternate Authentication Material: Web Session Cookie
- T1583.001 - Acquire Infrastructure: Domains
- T1584.004 - Compromise Infrastructure: Server
- T1036 - Masquerading
Additional IOCs
- Domains:
aviture[[.]]us7[[.]]list-manage[[.]]com- Legitimate Mailchimp tracking URL abused to redirect victims to phishing infrastructure.
- Urls:
jewbreats[.]org/rexuzo/owa/apiowa[.]php- Endpoint used for credential exfiltration.