Evilginx AiTM Attack Captures Microsoft Credentials

Person working at computer with cybersecurity threat detection screens showing MITM and network data
A cybersecurity professional focused on detecting network threats using multiple monitors

Overview

A new wave of adversary‑in‑the‑middle (AiTM) phishing attacks is targeting Microsoft users worldwide, and the tool behind it — Evilginx — is far more advanced than traditional phishing kits. Security researchers have confirmed that Evilginx can steal usernames, passwords, multi‑factor authentication (MFA) tokens, and authenticated session cookies simultaneously, effectively bypassing MFA entirely.

How Evilginx Works

Evilginx acts as a transparent proxy between the victim and the real Microsoft login page. When a user clicks a phishing link, they see a perfect replica of the legitimate login portal because it is actually the real page being mirrored live through the attacker’s server.

StepActionResult
Phishing Link ClickedVictim visits a lookalike domain controlled by the attacker.Connection redirected through Evilginx proxy.
Credentials EnteredUser inputs username and password on the mirrored Microsoft page.Data captured in real time.
MFA ApprovedVictim approves MFA prompt as usual.MFA token and session cookie intercepted.
Session HijackedAttacker imports the session cookie into their browser.Full account access without password or MFA.

Once the authenticated session cookie is captured, the attacker can replay it from any device anywhere in the world, gaining complete access to Microsoft accounts without triggering another MFA challenge.

Real‑World Case Study

Researchers at NetSPI documented a live engagement where Evilginx was used against a corporate executive team. They registered a lookalike domain and pointed an Evilginx server directly at the client’s Microsoft login flow.

The attack was wrapped in a social‑engineering scenario that made the phishing email appear urgent and legitimate. Once executives clicked the link and approved their MFA prompts, Evilginx captured their authenticated session cookies instantly.

“Even users who follow best practices and enable multi‑factor authentication are not fully protected from this attack,” NetSPI warned.

In one case, an executive forwarded the phishing link to two external contractors, nearly turning a single‑company breach into a multi‑organization incident — a stark reminder of how quickly AiTM attacks can spread.

Why MFA Is Not Enough

Traditional MFA protects against credential theft but not against session hijacking. Evilginx captures the session cookie after authentication completes, allowing attackers to bypass MFA entirely.

Attack TypeProtection Status
Password Phishing✅ Blocked by MFA
Session Hijacking (AiTM)❌ Not blocked by MFA
FIDO2 Hardware Keys / Passkeys✅ Phishing‑resistant authentication
Token Protection in Entra ID✅ Binds session tokens to device identity

Defending Against Evilginx‑Style Attacks

Security teams must adopt a layered defense strategy that goes beyond standard MFA.

  • Deploy Phishing‑Resistant Authentication → Use FIDO2 hardware keys or passkeys that bind authentication to the domain.
  • Enable Token Protection → Bind session tokens to specific devices to prevent cookie replay.
  • Monitor Sign‑In Logs → Detect tokens used from new IP addresses or locations.
  • Train Employees → Educate staff on handling unsolicited emails and login requests.
  • Restrict External Forwarding → Prevent users from sharing internal authentication URLs externally.

Expert in the Cloud Insight

The Evilginx AiTM framework represents a critical evolution in phishing tactics — it doesn’t steal your password; it steals your session. This shift means that security leaders must rethink authentication as a continuous process rather than a single checkpoint.

For organizations relying on Microsoft 365 and Entra ID, the path forward is clear: adopt phishing‑resistant MFA, enforce token binding, and monitor session integrity. Only then can we close the gap that AiTM attacks exploit.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.