Microsoft announces FREE GitHub Copilot for VS Code

Reading Time: < 1 minute


A quick post to share some great news!

Microsoft have announced an all new free plan for GitHub Copilot, available for everyone today in VS Code. All you need is a GitHub account.

  • No trial
  • No subscription
  • No credit card required

GitHub Copilot is an AI coding assistant that helps you write code faster and with less effort, allowing you to focus more energy on problem solving and collaboration. GitHub Copilot has been proven to increase developer productivity and accelerate the pace of software development.

With GitHub Copilot FREE you get 2000 code completions/month. That’s about 80 per working day, which is a lot. You also get 50 chat requests/month, as well as access to both GPT-4o and Claude 3.5 Sonnet models.

If you hit these limits, ideally it’s because Copilot is doing its job well, which is to help you do yours! If you find you need more Copilot, the paid Pro plan for $10 per month is unlimited and provides access to additional models like o1 and Gemini (coming in the new year 2025). There are also other plans on offer, such as Business and Enterprise.

For more information, visit the following Microsoft link, http://aka.ms/copilot-free

Enjoy! 🙂

User Guide: How to register passkeys in Microsoft Authenticator and physical passkeys

Reading Time: 4 minutes


In this blog post, I explore the steps to enable:

  • Passkeys in the Microsoft Authenticator app using an iPhone
  • Setting up a passkey via a physical Yubikey 5 (usb-c)

Note: This post is targeted at users who want to set up passkeys in the Microsoft Authenticator app or register a physical key. Your administrators must have enabled the capability to use passkeys before you can complete the steps below. To use passkeys via the Authenticator app, you need Android 14 or later, or iOS 17 or later (at the time of writing this post). Additionally, make sure that your Microsoft Authenticator app is updated to the latest version.

If you wish to learn more about how passkeys work, check out my post at: Part 1 – What is a FIDO2 key and How to Set One Up for Emergency Access in Entra ID | Cloud Build


Configure Passkeys in the Microsoft Authenticator App on an iPhone

  1. Access https://mysignins.microsoft.com and login

  2. Click security info from the left pane

  3. Click + Add sign-in method

4. Click the option, Passkey in Microsoft Authenticator


5. You may be prompted to go through MFA before you are able to add a new sign-in method. Please continue with this. When done, continue to step 6.

6. Read the pre-reqs and click next


7. Don’t click Next just yet. You will need to follow the instructions mentioned on your screen first.

  • Open the Microsoft Authenticator app on your phone. Tap on the account/email address you will be setting this passkey for. Keep the app open while you proceed with the setup.
  • Click Create a passkey.
    If this option does not appear, ensure that you have met the pre-reqs I mentioned at the beginning of this post.


8. You will be prompted to sign-in. Click the Sign-in button and login

9. If it is the first time you’re setting up a passkey via the Microsoft Authenticator app, you’ll be prompted to enable a couple of settings on your phone before you are allowed to continue.


10. We’re done with the configuration on the phone. Continue to the step 11 below.


11. Return to your laptop/desktop and click next to complete the process.

That’s it. If you’re interested in configuring a physical key, such as a YubiKey, the next section goes through the process.


Configure a passkey via a physical Yubikey 5 (usb-c)

  1. Access https://mysignins.microsoft.com and login

  2. Click security info from the left pane

  3. Click + Add sign-in method


3. Click the option Security key


4. You may be prompted to go through MFA before you are able to add a new sign-in method. Please continue with this. When done, continue to step 5.

5. Select the type of security key. I select USB device


6. Have your physical key ready, after clicking next, you’ll be prompted to plug it in.


7. Click next and then select Security key (If this option does not appear, click the option other ways to sign-in and then click Security key). Click next.


8. Read and click OK


9. Read and click ok


10. You will be prompted to insert you physical key


11. You will be prompted to create a new PIN


12. Your physical YubiKey will flash and you will be prompted to place you finger on it


13. Passkey saved, click ok


14. Finally, you will be prompted to give your Physical key a name so you can easily identify it.


15. Done


I hope you found this post useful. Catch you at the one

The Evilginx Threat: Protecting Your Credentials with Phishing Resistant MFA

Reading Time: 6 minutes


In this blog post, I demonstrate how to use an Adversary in The Middle (AiTM) phishing attack to capture a user’s session token utilising a tool called Evilginx. There are several methods to protect against such attacks and I will be concentrating on phishing resistant MFA.


IMPORTANT DISCLAIMER:
The user accounts involved are demo user’s. The information provided in this blog post is intended for educational and demonstration purposes only. Evilginx is a powerful tool that can be used to steal session tokens, which can lead to unauthorised access to user accounts. This tool should only be used for legitimate penetration testing on systems where you have explicit permission to do so. Unauthorised use of Evilginx or any similar tool is illegal and unethical, and can result in severe legal consequences. Always ensure you have proper authorisation before conducting any security testing.


What is Evilginx?
Evilginx is an advanced phishing framework that provides a way to bypass multi-factor authentication (MFA) protections by capturing session tokens. It operates as an Adversary-in-The-Middle (AiTM) proxy, intercepting communication between a victim and a legitimate service to steal authentication credentials and session tokens. Unlike traditional phishing attacks that trick user’s into divulging their passwords, Evilginx focuses on obtaining credentials and session tokens, enabling attackers to login without entering user credentials. This makes it a powerful tool for penetration testers and security researchers who need to assess the resilience of their systems against such sophisticated attacks, however, it can also be used by bad actors.

Here’s how it works in few steps:

  1. Attackers create fake login pages that look almost identical to legitimate ones, such as login pages for Microsoft, Google, Facebook and more.

  2. When user’s enter their credentials, Evilginx captures them and forwards them to the real site, making it seem like a normal login process.

  3. It can also intercept multi-factor authentication (MFA) codes, allowing attackers to gain unauthorised access.

This makes Evilginx particularly dangerous because of its capabilities to bypass security measures like MFA.

To protect yourself, always verify the URL of the login page, use phishing resistant MFA, and be cautious of unexpected login requests.

Let’s dig deeper and understand the process via the diagram below

How does Adversary-in-The-Middle (AiTM) take place using Evilginx

Click the image below to enlarge


Now, let’s see the process in action

Note: I’ve already installed and configured the Evilginx application.

Let’s explore how Evilginx can capture a user’s session token and gain access to data.

  1. I launch Evilginx on my server


2. I type:

lures create microsoft365
lures get-url 0

Click image to enlarge


3. I copy the fake url as shown in the image above. A bad actor now requires a user to click on this fake url which could be via phishing email.

For the purpose of this demo, let’s assume that a user has clicked the link which was sent to them via a phishing email.

I launch a browser and type the fake login page url.

Enlarge the image below.

Question: Can you locate anything suspicious in the image below?


Incase you were not able to locate the suspicious disguise, check the website address. The letter o after micros has been replaced with a zero.

Bad actors will use such cloned login pages which sometimes look convincing and genuine. It’s important that we continue to educate and remind ourselves about phishing attacks.

WARNING: Please do not access the fake url above on your device

4. Ok, so now the user logs in. I am going to use a demo account.

  • My demo account is ceo@imranrashid.co.uk
  • The account is protected with MFA via the Microsoft Authenticator app. Not phishing resistant MFA at the moment.

I’m going to login to the fake page. The Evilginx application is listening in and recording logs.


5. I click next and I am prompted to enter my password to authenticate with Entra ID.


6. I enter my username, password, click sign in and go through MFA when prompted. I do not currently have phishing resistant MFA enabled as yet.

I am logged in and then auto signed out, but the required information has been captured by the Evilginx tool.


7. Let’s see what I get with Evilginx


8. I have the user credentials including username and password


Evilginx has captured the user’s session which includes MFA acceptance. Let’s dig a little deeper.

9. I type sessions and can see the username, password and the token has been captured.


10. I type sessions 13 and press enter

11. Here is the captured session token.


12. Next, I am going to replay this stolen token. I highlight and copy the text.

13. I have downloaded Firefox and installed a cookie editor extension.

14. I launch Firefox and access office.com


15. I click the Sign in button and I am redirected to the Microsoft login page

16. I clear all the cookie information in the cookie editor extension.


17. Inside the Cookie editor extension, I click the option to import and paste the session cookie I copied earlier. I then click import again.


18. The session cookie has been loaded


19. I now refresh the page and I have access


20. I have access to the user apps


21. I have access to the user data


22. I have access to the user email



Phishing resistant MFA


Now, i’ll go through the same process again, but this time I have enabled phishing resistant MFA for the account ceo@imranrashid.co.uk. I have used a passkey. If you wish to learn more, please visit the following blog post, Part 1 – What is a FIDO2 key and How to Set One Up for Emergency Access in Entra ID | Cloud Build

  1. I am back at the fake login page. I type my username and click next, but instead of entering a password, I select the option Use your face, fingerprint, PIN, or security key instead as shown in the image below.


2. I am being prompted for a security key for the fake url as shown in the image below. My passkey is registered to the real domain of login.microsoft.com and not login.micr0soft.com, therefore the user is unable to authenticate and provide Evilginx with the session token it is trying to capture.


No sessions saved by the Evilginx app

I hope this post was useful. Thanks for reading and see you at the next one.