Thwarting Evilginx Attacks on Microsoft Entra ID

Attackers continually refine their methods to compromise user identities and gain unauthorized access to sensitive systems. One particularly insidious threat is Evilginx, a phishing framework designed to bypass traditional multi-factor authentication (MFA) by operating as an adversary-in-the-middle (AitM) — sometimes known as man-in-the-middle (MitM) — proxy. Evilginx intercepts and manipulates communication between users and legitimate sites, enabling attackers to steal credentials, session cookies, and other sensitive data. It’s a favorite tool of threat groups such as the Russian-based Star Blizzard, as warned in a joint advisory from CISA, the UK National Cyber Security Centre, the Australian Cyber Security Centre, and the Canadian Centre for Cyber Security, among other governmental security bodies.

Threat researchers and incident response teams have reported a noticeable surge in phishing campaigns utilizing Evilginx, exploiting MFA’s reliance on session validation. Even with MFA in place, Evilginx captures session cookies after authentication is complete, granting attackers unauthorized access to accounts. In many cases, it can also bypass Windows Hello for Business. This makes it a particularly effective tool for targeting Microsoft Entra ID environments. This article peels back the layers on Evilginx, looking at how it  operates, why it’s effective, and the best defenses to help keep your organization secure.

The Evolution of Evilginx

Originally developed as a pentesting tool to demonstrate the vulnerabilities of traditional MFA, Evilginx has evolved to become a cornerstone of sophisticated phishing campaigns. Using a modified version of the open-source nginx web server software, early versions focused on basic credential harvesting. Newer iterations, however, incorporate advanced features like session cookie interception and real-time proxying to bypass MFA entirely. Now named Evilginx 3 and written in Go, the framework is stable, adaptable and set up to target platforms like Microsoft Entra ID. It comes with built-in “phishlets” to easily configure identical login experiences for Microsoft 365, Citrix, Okta, and other sites.

Understanding Reverse Proxies

Reverse proxies are a legitimate, widely-used technique where a proxy server handles requests and responses on behalf of the origin server. It sits between an endpoint, such as a user’s desktop, and public facing traffic and websites. Requests from the endpoint are intercepted by the reverse proxy server, which then sends the requests on to the origin server. This helps organizations manage incoming traffic, distribute loads across servers, and strengthen security by shielding the internal server structure. It also allows organizations to cache content that may be commonly used by their users, saving loading time. 

Reverse Proxy Flow

Evilginx-blog-Diagram4@2x

How Evilginx Works

Evilginx leverages the concept of a reverse proxy, but configured specifically to capture a user’s credentials and session cookies once they are tricked into accessing the Evilginx URL instead of the legitimate target server.

The process goes something like this.

1. Phishing lure: The attacker lures the victim into clicking on a phishing link sent by email or SMS, which takes them to the Evilginx-created phishing site:

Evilginx-blog-Diagram5x

2. Fraudulent site: The phishing site consists of a fake login page that looks and behaves exactly like the legitimate site, complete with a valid TLS certificate and lock icon. When the user tries to log in, Evilginx forwards the request to the real service:

Evilginx-blog-Diagram6x

3. Credential harvesting: The user enters their username and password on the fake page, which Evilginx captures and sends to the genuine site. Evilginx also collects and passes back second factor authentication factors, such as OTPs and out-of-band authentication (eg. push notification to the MS Authenticator app).

4. Session hijacking: If successfully authenticated, the legitimate service will return session credentials (tokens, session cookie), which Evilginx intercepts. The attacker uses the captured credentials and session cookies to directly access the user’s account.

Evilginx-blog-Diagram1x

5. Account takeover: Once the attacker has control of the session, they can change the user’s password and other information, locking the victim out.

Handling Federation Redirects

But what if Entra ID is configured to redirect to a different IdP (like ADFS) to perform federated authentication?

The flow is very similar to the simpler flow above, except Entra is going to return a 302 redirect to the downstream IdP. As long as Evilginx is configured to be aware of the redirect host, it will spin up a new “host” under its subdomain, and proxy the redirect to the browser to go there instead:

Evilginx-blog-Diagram7x

So even if the user enters their credentials in the downstream IdP, the result is the same. The downstream IdP issues a federation token (eg. SAML or OIDC) which Evilginx uses to get the final session tokens from Entra ID:

Evilginx-blog-Diagram2x

How Attackers Use Evilginx

Attackers leveraging Evilginx often start by targeting the weakest link: unprotected personal devices. A common scenario involves a phishing email sent to an employee’s personal email address, which is less likely to be secured by corporate defenses. For example, if you work for Acme.com, you might receive a spear-phishing email that appears relevant to your role or recent activities. Once you click the link, expecting to authenticate, the attacker’s Evilginx server intercepts the login process as described above, capturing credentials and session cookies, and eventually locking you out of your account entirely.

Generative AI has made these attacks easier and far more effective. By mining public data about employees — such as their social media profiles, published work, and LinkedIn connections — attackers can craft highly convincing, customized phishing campaigns (aka “spear phishing”) within minutes. Moreover, Evilginx makes it easy to set up the phishing site, providing exact replicas of login pages for Microsoft Entra ID, Okta and other popular services.

Inside an Evilginx Attack on Entra ID

In this attack demo, you can see how easy it is to hack into and take over an Entra ID account using Evilginx, even with “stronger” MFA with number matching turned on.

 

 

Defending Against Evilginx

Protecting against Evilginx attacks starts with basic, foundational defenses like two-factor authentication (2FA). While not immune to compromise — attackers can still steal session cookies — 2FA adds a layer of difficulty that may deter some threats. Another critical measure is network traffic inspection, particularly for enterprises. Monitoring where traffic is directed can help identify phishing URLs and flag malicious activity, though detection often occurs after users have already clicked on links.

Employee phishing awareness training can also reduce the risk of falling for phishing attempts, although it’s unrealistic to expect perfect vigilance. Mistakes are inevitable, especially as attackers craft increasingly targeted, convincing lures.

The most effective strategy lies in adopting FIDO passkeys for authentication. Passkeys use domain binding, which ensures that authentication attempts will only succeed if the domain matches the one the passkey was registered with. This effectively renders reverse proxy tools like Evilginx useless, as they cannot impersonate the bound domain.

Evilginx-blog-Diagram3@2x

What About Windows Hello for Business?

Although Windows Hello for Business (WHfB) is a FIDO2 compliant authenticator, the way it is usually configured makes it vulnerable to Evilginx attacks. Most organizations set up WHfB to be the primary authentication method, with a more insecure fallback option, such as password plus an SMS OTP or Microsoft Authenticator. To make this worse, there are Evilginx phishlets available that specifically bypass WHfB  authentication (in case it was used last time by the user) by forcibly downgrading the flow to use the more vulnerable fallback methods. 

The key is to enable policies in Conditional Access that don’t allow a less-secure (non-phishing-resistant) fallback option. If you do, the attackers will exploit it, making it pointless for deploying WHfB in the first place.

How HYPR Thwarts Evilginx Attacks

HYPR is designed to outsmart the most sophisticated AitM tactics, including Evilginx attacks. HYPR Enterprise Passkeys leverage FIDO passkey standards, binding the domain to the key so that only login attempts on the correct domain can succeed. This effectively shuts down reverse proxy tools that rely on intercepting session cookies or credentials. HYPR only uses phishing-resistant, FIDO Certified passwordless MFA methods — it never falls back to a shared secret that can be phished or intercepted. It can be used as the primary authentication method or a phishing-resistant fallback for Windows Hello for Business.

See what this protection looks like during the same phishing attack demonstrated above.

 

 

More Layers of Identity Protection

On top of our leading passwordless architecture, our identity risk engine, HYPR Adapt, adds another layer of security by detecting and responding to risk signals — even if the correct credentials are used. Account recovery is another area frequently exploited by attackers. They employ social engineering to impersonate a legitimate user and convince the help desk to provision new credentials. HYPR’s identity verification solution prevents this by ensuring someone is the rightful account owner before allowing credentials to be issued. 

Read more about HYPR’s continuous, end-to-end identity assurance for your Microsoft Entra ID and hybrid environments or arrange a custom demo to see it in action.

 

New call-to-action

Related Content