In this blog post, I demonstrate how to use an Adversary in The Middle (AiTM) phishing attack to capture a user’s session token utilising a tool called Evilginx. There are several methods to protect against such attacks and I will be concentrating on phishing resistant MFA.

IMPORTANT DISCLAIMER:
The user accounts involved are demo user’s. The information provided in this blog post is intended for educational and demonstration purposes only. Evilginx is a powerful tool that can be used to steal session tokens, which can lead to unauthorised access to user accounts. This tool should only be used for legitimate penetration testing on systems where you have explicit permission to do so. Unauthorised use of Evilginx or any similar tool is illegal and unethical, and can result in severe legal consequences. Always ensure you have proper authorisation before conducting any security testing.
What is Evilginx?
Evilginx is an advanced phishing framework that provides a way to bypass multi-factor authentication (MFA) protections by capturing session tokens. It operates as an Adversary-in-The-Middle (AiTM) proxy, intercepting communication between a victim and a legitimate service to steal authentication credentials and session tokens. Unlike traditional phishing attacks that trick user’s into divulging their passwords, Evilginx focuses on obtaining credentials and session tokens, enabling attackers to login without entering user credentials. This makes it a powerful tool for penetration testers and security researchers who need to assess the resilience of their systems against such sophisticated attacks, however, it can also be used by bad actors.
Here’s how it works in few steps:
- Attackers create fake login pages that look almost identical to legitimate ones, such as login pages for Microsoft, Google, Facebook and more.
- When user’s enter their credentials, Evilginx captures them and forwards them to the real site, making it seem like a normal login process.
- It can also intercept multi-factor authentication (MFA) codes, allowing attackers to gain unauthorised access.
This makes Evilginx particularly dangerous because of its capabilities to bypass security measures like MFA.
To protect yourself, always verify the URL of the login page, use phishing resistant MFA, and be cautious of unexpected login requests.
Let’s dig deeper and understand the process via the diagram below
How does Adversary-in-The-Middle (AiTM) take place using Evilginx
Click the image below to enlarge

Now, let’s see the process in action
Note: I’ve already installed and configured the Evilginx application.
Let’s explore how Evilginx can capture a user’s session token and gain access to data.
- I launch Evilginx on my server

2. I type:
lures create microsoft365
lures get-url 0
Click image to enlarge

3. I copy the fake url as shown in the image above. A bad actor now requires a user to click on this fake url which could be via phishing email.
For the purpose of this demo, let’s assume that a user has clicked the link which was sent to them via a phishing email.
I launch a browser and type the fake login page url.
Enlarge the image below.
Question: Can you locate anything suspicious in the image below?

Incase you were not able to locate the suspicious disguise, check the website address. The letter o after micros has been replaced with a zero.
Bad actors will use such cloned login pages which sometimes look convincing and genuine. It’s important that we continue to educate and remind ourselves about phishing attacks.
WARNING: Please do not access the fake url above on your device
4. Ok, so now the user logs in. I am going to use a demo account.
- My demo account is ceo@imranrashid.co.uk
- The account is protected with MFA via the Microsoft Authenticator app. Not phishing resistant MFA at the moment.
I’m going to login to the fake page. The Evilginx application is listening in and recording logs.

5. I click next and I am prompted to enter my password to authenticate with Entra ID.

6. I enter my username, password, click sign in and go through MFA when prompted. I do not currently have phishing resistant MFA enabled as yet.
I am logged in and then auto signed out, but the required information has been captured by the Evilginx tool.

7. Let’s see what I get with Evilginx

8. I have the user credentials including username and password

Evilginx has captured the user’s session which includes MFA acceptance. Let’s dig a little deeper.
9. I type sessions and can see the username, password and the token has been captured.

10. I type sessions 13 and press enter
11. Here is the captured session token.

12. Next, I am going to replay this stolen token. I highlight and copy the text.
13. I have downloaded Firefox and installed a cookie editor extension.
14. I launch Firefox and access office.com

15. I click the Sign in button and I am redirected to the Microsoft login page

16. I clear all the cookie information in the cookie editor extension.

17. Inside the Cookie editor extension, I click the option to import and paste the session cookie I copied earlier. I then click import again.

18. The session cookie has been loaded

19. I now refresh the page and I have access

20. I have access to the user apps

21. I have access to the user data

22. I have access to the user email

Phishing resistant MFA
Now, i’ll go through the same process again, but this time I have enabled phishing resistant MFA for the account ceo@imranrashid.co.uk. I have used a passkey. If you wish to learn more, please visit the following blog post, Part 1 – What is a FIDO2 key and How to Set One Up for Emergency Access in Entra ID | Cloud Build
- I am back at the fake login page. I type my username and click next, but instead of entering a password, I select the option Use your face, fingerprint, PIN, or security key instead as shown in the image below.

2. I am being prompted for a security key for the fake url as shown in the image below. My passkey is registered to the real domain of login.microsoft.com and not login.micr0soft.com, therefore the user is unable to authenticate and provide Evilginx with the session token it is trying to capture.


No sessions saved by the Evilginx app

I hope this post was useful. Thanks for reading and see you at the next one.