Multifactor authentication (MFA), long considered a cornerstone of online security, is facing a serious challenge. Security researchers are raising alarms about a tool called Evilginx, which allows hackers to bypass MFA and hijack accounts. A recent investigation by Sophos into attacks on Microsoft users highlights how this method effectively steals credentials and session cookies, giving attackers complete control over sensitive accounts and data.
How the Evilginx Attack Bypasses Security
The Evilginx tool operates using an Attacker-in-the-Middle (AitM) technique. It essentially places itself between the user and the legitimate website, such as a Microsoft 365 login page. The user is presented with a fake login page that looks exactly like the real one.
When the user enters their username and password, Evilginx captures them. But it doesn’t stop there. The tool also intercepts the session cookie that is generated after a successful MFA verification. This cookie is what tells the service that the user is authenticated, allowing the attacker to access the account without needing to go through the MFA process again.
According to Matthew Everts, a senior analyst at Sophos X-Ops, once the attacker has this access, the consequences are severe. They can take several malicious actions to secure their foothold in the account.
- Set up new mailbox rules to secretly forward sensitive emails.
- Reset the account’s password and change MFA settings.
- Establish long-term persistence, making them difficult to remove.
A Growing Family of AitM Tools
While Evilginx is gaining attention, it is not an isolated threat. Security experts note that its use in more complex attacks is on the rise, and it is part of a larger ecosystem of similar tools. These toolkits make it easier for attackers to carry out sophisticated phishing campaigns that defeat common forms of MFA.
Chet Wisniewski, Sophos’ global field CISO, warned that attackers are specifically targeting knowledge-based MFA. This includes methods that rely on SMS codes, one-time passwords from authenticator apps, or simple push notifications, as they are all vulnerable to interception.
Here are some other AitM toolkits that researchers are tracking:
| Tool Name | Primary Target/Function |
| WikiKit | General phishing and credential harvesting. |
| FlowerStorm | Used in various phishing campaigns to bypass MFA. |
| Tycoon2FA | Specifically targets Microsoft 365 and Gmail accounts. |
| Mambe2FA | Another toolkit focused on bypassing 2FA mechanisms. |
| RaccoonO365 | Targets Office 365 environments for data theft. |
Moving to Phishing-Resistant Authentication
The rise of Evilginx attacks makes it clear that not all MFA methods are created equal. Cybersecurity experts are urging organizations to move away from vulnerable forms of authentication and adopt stronger, phishing-resistant alternatives.
The most effective defense against these attacks is FIDO2-based authentication. This standard includes technologies like hardware security keys and passkeys. FIDO2 works by tying the authentication process to a specific website domain. Even if a user is tricked into entering credentials on a fake site, the stolen information cannot be used on the real site because the domain does not match.
Experts like Everts and Wisniewski recommend a layered approach for maximum security.
- Hardware-based keys: Physical devices like Yubikeys provide a strong, unphishable authentication factor.
- Biometric authentication: Systems like Apple Touch ID and Windows Hello are tied to the user’s physical device.
- Device-based passkeys: Modern passkeys stored on a phone or computer offer a secure and convenient alternative.
Wisniewski stated, “Passkeys are a robust defense against AitM toolkits, such as Evilginx.” Combining them with conditional access policies, which can restrict logins based on location or device health, further strengthens an organization’s security posture.
Detecting the Signs of an Attack
While prevention is the best strategy, detection is also critical. By the time an Evilginx attack is discovered, the damage may already be done. However, vigilant security teams can look for warning signs that indicate a compromise has occurred.
Monitoring user login activity is the first step. Enterprise security teams should pay close attention to Entra ID (formerly Azure AD) sign-in and audit logs for anything out of the ordinary. Unusual login patterns or locations can be a red flag.
Specifically, IT teams should watch for new authenticator apps being added to an account or connections from unfamiliar IP addresses. These could be signs that an attacker has gained access and is trying to establish persistence. Because removing an attacker is much harder than stopping them in the first place, upgrading to stronger authentication is no longer just a recommendation but a necessity.
