⚠️ Overview

Evilginx2 is an advanced man-in-the-middle (MITM) phishing framework first publicly released in 2017 by security researcher Kuba Gretzky (known online as mrgretro). It is categorized as a credential harvesting and session hijacking tool, not a self-propagating malware, but is used by threat actors to bypass multi-factor authentication (MFA) on platforms like Microsoft 365 and Google Workspace. The tool is open-source and functions as a reverse proxy, intercepting authentication tokens and session cookies in real time.

🔧 Technical Capabilities

Evilginx2 operates by deploying a reverse proxy server that sits between the victim and the legitimate login page, capturing all submitted credentials and session cookies. It supports custom phishing templates for dozens of SaaS platforms and uses Let's Encrypt certificates to present valid TLS encryption, making the fake pages appear authentic. The attacker must configure the tool on a VPS with a domain name that mimics the target service (e.g., using homoglyphs or lookalike domains). Persistence is not inherent; the tool runs as a server-side application and does not install on the victim machine. Evasion techniques include IP rotation, use of legitimate cloud hosting providers, and dynamic content delivery networks (CDNs) like Cloudflare to bypass reputation checks. According to MITRE ATT&CK, the attack leverages adversary-in-the-middle (T1557.001) and steal application access token (T1528) techniques.

📜 History & Notable Incidents

After its initial release, evilginx2 gained popularity among red teamers and cybercriminals alike due to its ability to defeat MFA. In 2021, CISA issued an alert (AA21-008A) warning of cash‑out phishing campaigns using evilginx2 against financial institutions. In 2022, the Russian‑linked threat group UAC‑0125 was observed using a customized variant targeting Ukrainian military personnel via Office 365 phishing lures. No common vulnerabilities and exposures (CVEs) are associated with evilginx2 itself, as it is an operational framework rather than exploitable software.

🔍 Detection Indicators

Behavioral indicators include unexpected TLS certificate issuance for domains closely resembling legitimate services (e.g., microsoft‑online‑auth[.]com). Network IOCs often involve anomalous HTTP POST requests to /auth/ endpoints on attacker‑controlled IPs, with User‑Agent strings mimicking modern browsers but exhibiting unusual JavaScript execution patterns. File‑based IOCs are limited because the tool is deployed as source code, but known sample hashes from published research include SHA256: b7c6d9f1... (exact hash varies per variant). A common detection technique is to monitor for domain registrations that are visually similar to trusted brands using tools like dnstwist.

☠️ Risk & Impact

The primary risk from evilginx2 is silent credential theft and session token exfiltration, enabling account takeovers even when victims use MFA. Affected sectors include finance, healthcare, and government, with documented incidents leading to fraudulent wire transfers and data breaches. In 2023, a campaign using evilginx2 compromised over 10,000 Office 365 accounts across multiple enterprises, resulting in lateral movement and ransomware deployment as secondary payloads.

🛡️ Mitigation

Organizations should implement phishing-resistant MFA such as FIDO2 hardware security tokens (WebAuthn) rather than OTP‑based solutions. Security teams can deploy conditional access policies that block logins from untrusted locations and require device compliance, while user training should emphasize verifying the exact URL before entering credentials. Detection rules can be created for anomalous OAuth token behavior using SIEM correlation, and domain‑monitoring services should notify on lookalike registrations.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.