Multifactor authentication (MFA) has long been hailed as a crucial security measure, but researchers are warning that it’s not as impenetrable as once believed. A malicious tool known as Evilginx is being used to bypass MFA, allowing attackers to steal credentials and gain access to sensitive accounts.
How Evilginx Tricks Microsoft Users
Sophos researchers recently tested Evilginx against Microsoft users and found it disturbingly effective. The attack works by intercepting web traffic and presenting users with a spoofed login page that looks identical to a legitimate Microsoft 365 login.
Users enter their credentials, thinking they are logging into their real accounts. However, behind the scenes, Evilginx captures those details and also snags session cookies, which allow attackers to bypass MFA completely.
“From here, the threat actor has full access to the user’s mailbox account,” wrote Matthew Everts, senior analyst at Sophos X-Ops. “If access is available, the attacker can reset MFA devices, change passwords, and establish long-term persistence.”
Once inside, hackers can:
- Set up mailbox rules to forward emails
- Reset passwords and authentication settings
- Gain continued access even after users update their credentials
Attacker-in-the-Middle (AitM) Techniques on the Rise
Evilginx is not a new tool, but its recent use in more sophisticated attacks has alarmed security researchers. Accenture’s Yehuda Smirnov demonstrated how an Evilginx-powered attack could even defeat Windows Hello for Business.
Microsoft responded with a patch, but Sophos researchers say that Evilginx remains a powerful weapon in the hacker arsenal. And it’s not the only one.
Other tools that exploit similar AitM vulnerabilities include:
- WikiKit
- FlowerStorm
- Tycoon2FA
- Mambe2FA
- RaccoonO365
Sophos has been tracking an Evilginx attack against a managed service provider (MSP) and plans to release a detailed report soon. Chet Wisniewski, Sophos’ global field CISO, warned that attackers are increasingly targeting knowledge-based MFA, which relies on SMS codes, one-time passwords, or push notifications.
How Companies Can Protect Themselves
Cybersecurity experts say organizations need to rethink their approach to authentication. Traditional MFA methods—while better than nothing—are vulnerable to AitM attacks. Instead, companies should adopt phishing-resistant authentication methods like FIDO2 and passkeys.
Everts from Sophos recommends:
- Hardware-based security keys (like Yubikeys)
- Biometric authentication (Apple Touch ID, Windows Hello)
- Device-based authentication (iPhone and Android passkeys)
FIDO2-based MFA is immune to Evilginx attacks because it ties authentication to a specific domain, preventing stolen credentials from being reused on malicious lookalike sites.
“A combination of FIDO2/passkeys and conditional access policies further strengthens this approach,” Wisniewski said. “Passkeys are a robust defense against AitM toolkits, such as Evilginx.”
Detecting Evilginx Attacks
By the time an Evilginx attack is detected, the breach has often already occurred. However, security teams can spot warning signs by monitoring user login activity closely.
Enterprise security teams should check:
- Entra ID sign-in and audit logs for unusual login attempts
- New authenticator apps added to accounts unexpectedly
- Connections from unfamiliar IP addresses
Once an attacker gains access, it becomes much harder to kick them out. That’s why prevention—rather than detection—is key.
Evilginx is a reminder that no security measure is foolproof. While MFA remains an important layer of defense, companies can no longer rely on it alone. Stronger authentication options are available, and with hackers getting smarter, upgrading security measures is no longer optional.
