Back to All Research

Cybercriminals Use Evilginx to Bypass MFA: Gmail, Outlook, and Yahoo Among Top Targets

September 19, 2024

Evilginx is a tool widely used in phishing campaigns to bypass MFA. It operates as a man-in-the-middle (MITM) proxy, enabling attackers to intercept and manipulate traffic between users and legitimate websites. By doing so, cybercriminals can steal login credentials, session cookies, and other sensitive information.

Evilginx is typically used in attacker-in-the-middle (AiTM) attacks, a clever form of phishing that outsmarts MFA protections that would otherwise prevent unauthorized access to online accounts.

Traditional phishing techniques often deceive users into revealing their usernames and passwords. While MFA adds an extra layer of security by requiring an additional authentication factor, attackers can still bypass it using tools like Evilginx. By capturing session cookies—which validate a user’s session after MFA is completed—Evilginx renders the MFA step ineffective, allowing unauthorized access.

Attacker In-The-Middle (AiTM) Attacks

In an AiTM attack, the cybercriminal sets up a phishing website that mirrors a legitimate one. When an unsuspecting user enters their login credentials and MFA token, Evilginx captures the information and forwards it to the legitimate website in real-time, allowing the attacker to gain access without detection.

The user successfully logs in, none the wiser, while the attacker also gains access to the same session. The key difference between traditional phishing and AiTM attacks is that the latter doesn’t just steal credentials—it hijacks authenticated sessions, allowing cybercriminals to bypass MFA entirely.

Evilginx1

Illustration of an attack using Evilginx

For example, an attacker might create a fake login page for an online banking service. When the victim enters their username, password, and MFA token, the attacker—using Evilginx as a proxy—relays that information to the real bank’s website. Once authenticated, the attacker captures the session cookies and can then use those cookies to impersonate the victim in future interactions with the bank, even after the MFA process has been completed.

How Cybercriminals Use Evilginx

Evilginx has become a valuable tool for cybercriminals involved in phishing campaigns. One of the main reasons it’s so popular is its open-source nature, allowing anyone to download, modify, and use it. While Evilginx was initially designed for penetration testing and ethical hacking, it has been co-opted by cybercriminals for malicious purposes.

Attackers typically configure Evilginx to mimic high-value targets such as online banking portals, cloud service providers, email platforms, and social media sites. These platforms often rely on MFA as a security measure, and Evilginx offers a way to bypass that protection.

Evilginx2

Custom price list for Evilginx configurations

Once the attacker captures the victim’s credentials and session cookies, they can log into the victim’s account, change security settings, move funds, or steal sensitive data—all without triggering the MFA alerts that would typically warn the user of unauthorized access.

Evilginx has also become a service that cybercriminals sell to each other.

Evilginx3

Advertisement for Evilginx phishlets

Some attackers do not have the technical know-how to configure Evilginx themselves. As a result, cybercrime communities now offer services to set up and configure Evilginx phishing campaigns, often as a turnkey solution. These services can include customized phishing pages, hosting, and even automation for harvesting credentials and session cookies.

Star Blizzard APT Group and Evilginx

One prominent example of cybercriminal use of Evilginx comes from the Star Blizzard APT (advanced persistent threat) group, which has been linked to Russia’s FSB (Federal Security Service).

In a report by the UK's National Cyber Security Centre (NCSC), Star Blizzard was revealed to have been using Evilginx in spear-phishing campaigns targeting high-profile individuals and organizations.

The group’s primary tactic involves sending highly tailored phishing emails to targets. These emails direct victims to fake login pages that mirror legitimate services such as email providers, cloud platforms, or government portals.

Evilginx4

NCSC attributing Evilginx usage to a Star Blizzard APT

Once the victim logs in, Star Blizzard uses Evilginx to capture their credentials and session cookies.

This allows them to bypass the MFA process entirely. The stolen session cookies enable the group to maintain persistent access to the victim’s accounts, even if MFA is enforced. Star Blizzard's use of Evilginx demonstrates the tool’s potency in real-world cyber espionage and nation-state-sponsored hacking campaigns.

Protect Your Organization From AiTM Attacks

It's no surprise that tools like Evilginx, originally developed for ethical penetration testing, have been repurposed by cybercriminals to bypass security measures like MFA.

This is a common trend in cybersecurity, where legitimate tools are weaponized to launch attacks.

Evilginx is particularly dangerous because it allows attackers to intercept credentials and session cookies, effectively bypassing MFA and giving them full access to user accounts. This makes traditional defenses, such as basic MFA, insufficient in protecting against today’s phishing threats.

Abnormal is designed to tackle this very problem. Using advanced artificial intelligence and machine learning, the Abnormal platform can detect and block even the most sophisticated phishing emails—before they reach your inbox.

Unlike traditional security tools that rely on static rules or known threat signatures, Abnormal analyzes behavioral patterns, communication history, and the context of each email to identify and neutralize attacks in real-time.

Interested in learning more about Abnormal’s AI-powered solution? Schedule a demo today.

Cybercriminals Use Evilginx to Bypass MFA B AI

See How Abnormal Stops Emerging Attacks

See a Demo

Get the Latest from Abnormal Intelligence

Subscribe to our monthly newsletter to receive the latest insights from our team directly in your inbox.