Hackers Leverage Evilginx To Undermine MFA Security Mimicking Legitimate SSO Sites

Hackers are turning to Evilginx, a powerful adversary-in-the-middle tool, to get around multi-factor authentication and take over cloud accounts.

The framework acts as a reverse proxy between the victim and real single sign-on pages, so the login screen looks and behaves just like the real thing.

To the user, the fake site feels normal, with valid TLS and familiar branding. Attackers start with targeted phishing emails that push victims to carefully crafted fake SSO portals.

These pages copy the layout, scripts, and flows of common identity platforms, including enterprise SSO gateways. Once the user enters credentials and completes MFA, Evilginx quietly captures session cookies and tokens while still passing traffic to the real provider.

This shows the staged relay from the victim to the identity provider. Infoblox security analysts identified recent campaigns where Evilginx was used to mimic legitimate corporate SSO sites and steal tokens for email and collaboration platforms.

A timeline of SSO phishing attacks against higher educational institutions (Source - Infoblox) — A timeline of SSO phishing attacks against higher educational institutions (Source – Infoblox)

They noted that the stolen cookies allow attackers to replay sessions without ever needing passwords or MFA codes again. This shifts the risk from classic credential theft to full session hijack.

google

The impact is serious for both companies and users. With an active session token, attackers can read mail, reset passwords on linked apps, deploy new MFA methods, and plant backdoor access.

Attack analysis

This can lead to business email compromise, data theft, and long-term stealth access that is hard to trace back to the first phishing click. In contrast, the attack flow shows how stolen cookies unlock downstream services.

Attack flow (Source - Infoblox) — Attack flow (Source – Infoblox)

One key focus in the complete technical breakdown is how Evilginx evades detection during this process.

The framework forwards all content from the real SSO site, including scripts, styles, and dynamic prompts, which makes traditional visual checks almost useless.

It also uses real certificates on lookalike domains, so browser padlocks still appear green and reassuring.

Under the hood, Evilginx proxies and rewrites headers to keep the session alive while stripping out sensitive cookies for theft.

A simple, high-level phishlet can look like:-

server_name login.example.com;
proxy_pass https://login.real-sso.com;
proxy_set_header Host login.real-sso.com;

By logging cookies at the proxy layer, attackers grab session data before it is protected by the user’s device or corporate tools.

Universities targeted by the Evilginx actor (Source - Infoblox) — Universities targeted by the Evilginx actor (Source – Infoblox)

This shows how headers and cookies flow through the proxy, highlighting the points where tokens are intercepted.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

googlenews

Source link

Search

Attack analysis

Latest Posts