Evilginx: The nginx mutation that defeats MFA protection

Security researchers from Sophos X-Ops have investigated the workings of Evilginx. The malware, which is based on the widely used open source web server nginx, poses a significant threat to IT security by enabling targeted adversary-in-the-middle attacks and can even bypass multi-factor authentication (MFA).

How the attack works

Evilginx is based on the legitimate nginx web server, which is misused to redirect web traffic via deceptively genuine-looking phishing pages. In a test environment, Sophos researchers demonstrated such an attack by setting up a fraudulent domain with a Microsoft impersonation.

The login forms and graphics displayed to the user actually originate from Microsoft itself and are merely forwarded by the Evilginx server. In the background, however, the malware manipulates the user experience. In their tests, the security researchers were able to compromise an MFA-protected account without any problems.

For the unsuspecting user, the login process is completely normal. Only particularly attentive users may become suspicious if they are asked to log in again after clicking on one of the applications.

More than just password theft

Evilginx goes beyond the simple tapping of access data. The malware also captures session tokens by activating the “Stay logged in” option when logging into Microsoft. This information is stored in a database that contains the public IP address and the browser agent used as well as the crucial cookie.

With this cookie, cybercriminals can log in to the legitimate Microsoft site and gain full access to the victim’s email account. From there, they can reset MFA devices, change passwords and take other measures to permanently secure access.

Protective measures against Evilginx attacks

If an Evilginx attack is suspected, the security experts at Sophos recommend two countermeasures:

1. Reactive: First of all, all sessions and tokens should be revoked via Entra ID and Microsoft 365. This can be done in the user account using the “Revoke sessions” and “Log out of all sessions” functions.
2. Preventive: The passwords and MFA devices of the affected user must then be reset. Important: Depending on the type of MFA device added, attackers may still have passwordless access, which means that password changes will have no effect.

Conclusion: Impressive but manageable threat

Evilginx is a technically sophisticated method of bypassing MFA and stealing credentials. What is particularly worrying is that this complex attack technique is relatively easy to deploy, allowing it to be widely used by various attacker groups.

The good news is that the countermeasures described can significantly limit the success of such attacks. However, vigilance in the event of unusual login requests and regular checks of active sessions remain essential.