How EvilGinx Bypasses Multifactor Authentication
Email phishing techniques evolve every day. One particularly concerning threat is EvilGinx, a sophisticated advanced phishing attack, often termed "man-in-the-middle" or adversary-in-the-middle that we’re seeing Canadian business fall victim to. It's designed to bypass multifactor authentication (MFA) by capturing authentication tokens and session cookies in real time. Its ability to bypass MFA can result in unauthorized access to IT systems and compromised data, potentially leading to financial loss, reputational damage and legal consequences. Here’s a breakdown of how it works and its implications:
1. Man-in-the-Middle Phishing
- Traditional phishing attempt that steals credentials by tricking the user into entering their login information on a fake website.
- Evilginx goes further by acting as a proxy between the victim and the legitimate service. When the victim enters their credentials on the fake site, EvilGinx forwards these to the real site, retrieves the legitimate session cookies, and then hijacks the session.
2. Bypassing MFA
- One of the major strengths of EvilGinx is its ability to capture not only login credentials but also MFA tokens.
- When a user logs in using MFA, EvilGinx intercepts the token and the session cookies, allowing the attacker to gain unauthorized access without needing the MFA code again.
Step-by-Step Attack Scenario
- Phishing stage
- The fake login page
- Data interception
- Session hijacking
- Unauthorized access
What’s most significant about EvilGinx is that one does not have to be a security specialist to execute an attack. A simple demonstration is showcased in this video titled “I Stole a Microsoft 365 Account. Here’s How.” Watch the video here.
How to Defend Against EvilGinx
The best approach to cybersecurity is a multi-layered one that includes phishing resistant MFA, Managed Detection and Response, Security Awareness Training, conditional access policies and of course, a Managed Service Provider to implement these solutions to keep your business secure as the cyber threat landscape evolves.
Phishing Resistant MFA
- FIDO2 Security Keys/Tokens: Consider using a hardware token for MFA method (FIDO2 Security keys). Note this too requires biometric capable end user devices.
- Biometric Authentication: Using biometric data such as fingerprints, facial recognition, or iris scans adds an extra layer of security. These characteristics are generally harder for attackers to replicate through phishing.
- Certificate-based: Microsoft Entra certificate-based authentication (CBA) enables users to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. This feature enables authentication with an X.509 certificate against their Public Key Infrastructure (PKI).
Managed Detection and Response for Microsoft 365: Many Microsoft 365-reliant businesses are now adopting Managed Detection and Response (MDR) to protect all users, applications, and environments to detect and resolve email phishing attacks.
Awareness and Training: Educate users about the risks of phishing and teach them to recognize suspicious links and websites. A critical security best practice is to ensure employees don't click on links. If an email requests a login into Microsoft 365, only a known URL should be used to login. Always review the URL you are visiting.
Conditional Access Policies: Implement conditional access policies that mandate the use of compliant devices and adds an extra layer of security.
Managed Security Services: Managed Service Providers (MSP) provide organizations with the technological leadership and tools necessary to keep businesses secure today. An MSP can implement all the above noted modern security defenses to prevent man-in-the-middle attacks and, as threats evolve, an MSP will ensure you have the best defenses in place.
EvilGinx represents a sophisticated advancement in phishing techniques, demonstrating the importance of continuous security hardening to counteract evolving threats. Reach out to us to learn more about our Managed IT and Security Services.