Evilginx Tool (Still) Bypasses MFA

![Picture of Rob Wright](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5c6ff7f5e1632417/67d20d17ce7a16a860280d53/robwright.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Rob Wright’) [Rob Wright](/author/robert-wright)March 28, 2025 3 Min Read ![Mobile phone depicting MFA to laptop](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt25b1b5bae7ebb2ba/67e709c157424a93a8928b22/MFA_FabioPrincipe_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘Mobile phone depicting MFA to laptop’) Source: Fabio Principe via AdobeStock [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](https://www.reddit.com/submit?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa&title=Evilginx%20Tool%20(Still)%20Bypasses%20MFA)[](mailto:?subject=Evilginx Tool (Still) Bypasses MFA&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Evilginx%20Tool%20(Still)%20Bypasses%20MFA%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fendpoint-security%2Fevilginx-bypasses-mfa) Bypassing multifactor authentication isn’t hard, if you’re willing to get a little evil.Sophos researchers this week [detailed how Evilginx](https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/), a malicious version of the widely used open source NGINX Web server, can be used in adversary-in-the-middle (AitM) attacks to steal credentials and authentication tokens. Perhaps more importantly, the hacking tool can beat MFA protection.Evilginx has been around for many years as an AitM framework for capturing user credentials, but security researchers have recently deployed the tool for more complex attacks. For example, Accenture security research Yehuda Smirnov last year [developed a technique](https://www.darkreading.com/endpoint-security/goodbye-attackers-can-bypass-windows-hello-strong-authentication) to beat Microsoft’s Windows Hello for Business by downgrading the authentication via an Evilginx attack. Smirnov [demonstrated the technique](https://www.youtube.com/watch?v=UnudlFeHlrU) at Black Hat USA 2024, and Microsoft issued a fix to prevent the attack. However, Sophos researchers say Evilginx can still be used to sweep up credentials and bypass MFA.Evilginx Attacks On Microsoft Users———————————–Matthew Everts, senior analyst at Sophos X-Ops’ Incident Response, explained in a blog post that Evilginx proxies Web traffic to malicious domains that spoof legitimate sites and services such as Office 365. The Sophos research team tested Evilginx with Microsoft-themed malicious domains and phishing pages to lure in users. Related:[Windows 10 End-of-Life Puts SMBs at Risk](/endpoint-security/windows-10-end-of-life-puts-smb-at-risk)Everts noted that the lures use authentic forms and images from Microsoft itself, which are relayed from the company and through the Evilginx server. Users are presented with what looks like a normal login page for Microsoft 365, which collects usernames and passwords. ‘On the back end, evilginx gives the attacker options for configuring the experience. In our testing, we mimicked a user account protected by MFA … and promptly got around it,’ he wrote.Evilginx can also collect users’ session cookies, which gave the researchers an opening to bypass MFA. Armed with the session cookie as well as additional data such as the user’s IP address, Sophos researchers could go to the legitimate Microsoft login portal and sign in as the user.’From here, the threat actor has full access to the user’s mailbox account. Typical actions can include adding mailbox rules,’ Everts wrote. ‘If access is available, the threat actor can also reset MFA devices, change passwords, and perform a number of other actions to give themselves additional persistence to the account.’ Enterprise security teams can detect this kind of malicious activity by reviewing Entra ID sign-in and audit logs, which would reveal suspicious connections from unknown IP addresses as well as a new authenticator app being added to a user’s account.Related:[HP Brings Quantum-Safe Encryption to Printers](/endpoint-security/hp-brings-quantum-safe-encryption-printers)But at that point, the network has already been breached.AitM Attacks In The Wild————————Sophos observed a recent Evilgnix attack against an MSP, which will be detailed in an upcoming report, according to Chet Wisniewski, director, global field CISO at Sophos. ‘We also have seen an uptick in use of other attacker-in-the-middle tools like WikiKit, FlowerStorm, Tycoon2FA, Mambe2FA, and RaccoonO365,’ he says.To prevent Evilginx attacks, Sophos’s Everts urged organizations to move off token-based or push-MFA methods and embrace stronger, phishing-resistant [FIDO2-based options](https://www.darkreading.com/endpoint-security/lastpass-announces-availability-of-fido2-authenticators-for-passwordless-login) like passkeys. ‘The good news is that good options are available in many forms — Yubikey-type hardware keys, Apple Touch ID on modern hardware, Windows Hello for business, even options that incorporate iPhone and Android,’ Everts wrote.Wisniewski says most threat actors try to bypass knowledge-based MFA, or those methods that use one-time passwords, SMS codes or push notifications. Phishing-resistant MFA, however, prevents proxy attacks like Evilginx because a FIDO2 or [passkey authenticator](https://www.darkreading.com/endpoint-security/google-targets-passkey-support-high-risk-execs-civil-society) will not accept a login request that does not come from the domain associated with the key. Related:[Mobile Jailbreaks Exponentially Increase Corporate Risk](/endpoint-security/mobile-jailbreaks-corporate-risk)’A combination of FIDO2/passkeys and conditional access policies further strengthens this approach,’ he says. ‘Passkeys are a robust defense against AiTM toolkits, such as Evilginx.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa)[](https://www.reddit.com/submit?url=https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa&title=Evilginx%20Tool%20(Still)%20Bypasses%20MFA)[](mailto:?subject=Evilginx Tool (Still) Bypasses MFA&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Evilginx%20Tool%20(Still)%20Bypasses%20MFA%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fendpoint-security%2Fevilginx-bypasses-mfa) About the Author—————-![Rob Wright](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5c6ff7f5e1632417/67d20d17ce7a16a860280d53/robwright.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Rob Wright’) [Rob Wright](/author/robert-wright)
Rob Wright is a longtime reporter and senior news director for Informa TechTarget’s security team. He is based in the Boston area. [See more from Rob Wright](/author/robert-wright) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025* [DPRK’s Hidden Insider Workforce: Their Evolving Tactics + Your Strategy to Detect and Defend](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8046&ch=SBX&cid=_upcoming_webinars_8.500001540&_mc=_upcoming_webinars_8.500001540)Apr 8, 2025* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025[More Events](/events)You May Also Like*** ** * ** ***

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 517 – Telecommunications

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 711 – Performing Arts

Spectator Sports

Related Industries

NAICS: 51 – Information

TA0003 – Persistence

Blog: Dark Reading

Associated Indicators:

Threat Intel Solutions

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us