Watch the video walkthrough on Loom
Cybercriminals are constantly evolving their methods, and one particularly dangerous attack vector that has been compromising business emails—even those protected by multi-factor authentication (MFA)—is the Evilginx Reverse Proxy attack. In this post, we'll break down how this attack works, demonstrate its effectiveness, and most importantly, discuss how to defend against it.
Evilginx is an open-source attack tool that can be deployed on a cloud server for as little as $5, with a domain name costing around $10 per year. Because of its accessibility and ease of use, even those with basic technical knowledge can set up this attack within a few hours.
Attackers register a domain that looks nearly identical to a legitimate website, such as a Microsoft login page. Since Microsoft uses various subdomains and URLs, a fraudulent domain can appear convincing at first glance.
The attack usually begins with a phishing email. The recipient may receive an email from a trusted contact—whose account has already been compromised—prompting them to click on a link to view an invoice or another document.
Clicking the link redirects the victim to a phishing page that looks identical to Microsoft's login portal. The victim, believing it to be legitimate, enters their email and password.
Once the user submits their credentials, Evilginx captures them in real time. If multi-factor authentication is enabled, the victim is prompted to approve the login on their authenticator app or enter a one-time passcode. Once they do, Evilginx intercepts the authentication token, allowing the attacker to take full control of the account.
The intercepted session token is the key to the attack. With this token, the attacker can bypass MFA completely, logging in from any device, anywhere in the world, without needing additional authentication.
Once inside, attackers can access OneDrive files, SharePoint data, emails, and even set up forwarding rules to monitor communications. If they gain access to a global admin account, the damage can be even more severe, allowing them to manipulate settings, create new accounts, or even deploy further attacks.
While this attack is highly effective, there are ways to defend against it. One of the best methods is implementing conditional access policies, which can block these attacks based on specific criteria such as:
If your organization wants to learn more about securing accounts against this attack, reach out to us. We can provide detailed instructions on how to set up protective measures to safeguard your business from these threats.
Cybersecurity is constantly evolving—make sure your defenses are too.