Authored by Ian Lin, Director of Research and Development at Packetlabs.
All too often, Packetlabs is requested to assess only its external perimeter and evaluate its security posture based on what we can see and penetrate. This isn’t a problem for us, but it reflects a mindset that assumes professional ethical hackers won’t be able to breach an organization’s perimeter. With enough effort and time, this becomes an eventuality.
“There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, former Director of the FBI.
This quote means that it is inevitable for threat groups who are highly motivated to gain the access they need to accomplish mission objectives. No matter how robust your defenses are, a determined and moderately skilled threat actor will eventually find a way into your environment, given enough time and resources.
In a company of 100 employees, even a modest 5% click rate on phishing emails means that, on average, 5 people could fall victim in every campaign. Part of the challenge is showing that public tooling, often with minimal work, will show that a successful phishing attempt is inevitable.
On April 6, 2017, the brainchild of Kuba Gretzky dropped a release of the popular Evilginx framework. Ever since then, researchers, ethical hackers, and threat groups have been having success against organizations with multi-factor authentication configured. This project has been pushing organizations like Microsoft and other software companies to innovate and improve their products against sophisticated actors who build custom applications to circumvent security measures like multi-factor authentication.
Since then, the developer has continuously supported and improved the project. With its advent into the commercial software space, users of the PRO version would likely gain more success against some of the signatures that have been traditionally used by browsers (e.g. chrome safe browsing enhanced protection).
Evilginx2 is a phishing framework and development toolkit designed for performing "man-in-the-middle" (MITM) attacks against authentication mechanisms used in web applications. It is an advanced phishing tool that can intercept and manipulate authentication sessions, allowing attackers to steal credentials and other sensitive information from users. This toolkit and framework centers its core functionality around these four features:
Phishing Capabilities: Evilginx2 creates convincing phishing pages that mimic legitimate websites' login portals. It can replicate the appearance and functionality of popular identity and email services like AWS, Okta, Microsoft, and Google.
Session Hijacking: Once a victim enters their login credentials on the phishing page, Evilginx2 intercepts them before forwarding them to the legitimate service's login system. This allows the attacker to capture the victim's username, password, and other session tokens.
2FA Bypass: Evilginx2 can also capture and use two-factor authentication (2FA) tokens in real time, allowing attackers to bypass this additional security measure in some cases. This is particularly dangerous because it enables attackers to gain access even if the victim has 2FA enabled.
Configurability: The tool is highly configurable, allowing attackers to customize phishing pages, control how intercepted data is stored or relayed, and set up redirects to the legitimate site after successful phishing attempts to avoid suspicion.
In summary, Evilginx2 is a powerful tool that demonstrates the vulnerabilities inherent in authentication processes on the web. Its existence underscores the ongoing challenge of defending against sophisticated phishing attacks and reinforces the need for robust security measures and user awareness. The custom implementations that Packetlabs has made in red team campaigns allow defenders and organizations to understand the impacts of access past the email inbox and demonstrate the impact of reverse proxy phishing.
Take the following scenario: Victims of a spear-phishing attack are sent phishing emails attempting to coerce users to authenticate to an attacker-controlled domain that is hosting an instance of Evilginx2. Each request to the attacker’s domain is forwarded to the provider’s login page. Subsequently, the response from each forwarded request is returned to the attacker’s domain. This results in a seamless and realistic login experience from the victim’s perspective. A victim with multi-factor authentication (MFA) enabled will be prompted to provide their token. It’s important to note that this process is dynamic and the prompt for MFA can vary based on account configuration.
Navigating to an Evilginx2 instance on an attacker’s domain reveals the web page below. Entering false credentials will result in an error, as any other legitimate provider’s portal.
Performing authentication will submit the request to the legitimate O365 portal (through the attacker’s domain) and return a multi-factor authentication prompt if enabled.
Upon entering the MFA code, Evilginx2 will capture all authentication information, including the session cookies. This can enable an attacker to hijack a session by importing the cookies into their web browser. This is an example output capture that contains a variety of data that was passed from the victim, through the attacker’s domain, and to the legitimate provider. In this case, each cookie from the login.microsoftonline.com domain was captured.
Using browser developer tools or browser extensions such as “Cookie-Editor” can allow a user to import a list of cookies in JSON format.
Once completed, the attacker can refresh their browser on the login.microsoftonline.com page to gain unrestricted access to the account. It is important to note that this toolkit offers the capability to simulate realistic landing pages and capture cookies, effectively bypassing traditional forms of multi-factor authentication. This includes, but is not limited to, Microsoft Authenticator (Approval / Code) and SMS.
One of Microsoft’s practices is often hiding its security features behind premium licenses. This practice hinders the security of customers using Microsoft identity platforms. Many of the countermeasures against reverse proxy phishing are contained within Microsoft Entra ID P1 or EMS E3.
If the entry way to your organization’s Microsoft applications is behind a username and password, we urge them to mandate multi-factor authentication. Understanding that multi-factor authentication is not a full-stop solution for attackers attempting to gain access, it is one of the first steps in building defense in depth, as security is built in layers. Attached below is a table for reference for configurations that help in reducing the effectiveness of the Evilginx2 framework:
Configuration | Required License | Supplemental |
---|---|---|
CAP via IPs | Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5/F3 | Conditional access policies are effective because the origin IP of the Evilginx2 framework is used instead of the user’s originating IP |
Device Enrollment | Intune or EMS E3/E5 or Microsoft 365 E3/E5/F1/F3 | The origin device from the attacker is not enrolled in the organization’s Intune; therefore, it will fail a compliance check |
Certificate-Based Authentication | Microsoft Entra ID P1 and Microsoft Defender for Cloud Apps or EMS E5 | Authentication tokens for office.com will be captured, but Microsoft applications will be denied due to Microsoft Defender for Cloud Apps access policies |
FIDO or Universal 2nd Factor | Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5 | The generated key challenge will be invalid when a phishing domain is used as one of the components instead of the legitimate domain name. An example would be Windows Hello. |
Entra Hybrid Join | Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5 | A similar caveat for device enrollment is that the originating reverse proxy is presented rather than the hybrid joined device. |
In today’s evolving threat landscape, multi-factor authentication (MFA), while essential, is no longer sufficient to deter attackers from gaining initial access. Sophisticated threat actors, information security professionals, and hobbyists continually develop tactics to bypass or exploit the MFA process. This underscores the need for a more comprehensive, layered security approach incorporating additional safeguards such as continuous monitoring, layered defense, and proactive response.
By combining these measures, organizations can build a resilient defense that addresses weaknesses in identity and helps prevent breaches before they occur.
What sets us apart is our passionate team of highly trained, proactive ethical hackers. Our advanced capabilities go beyond industry standards. We ask questions to dig deeper and encourage knowledge sharing.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.