Evilginx: Dangerous web server tricks MFA 

8 April 2025
| No comments
SophosNews
Advertising

Share post

A malicious mutation of the widely used nginx web server facilitates malicious adversary-in-the-middle attacks. Sophos X-Ops analyzed the criminal potential of Evilginx in a test setup and offers tips for protection.

Evilginx is a malware based on the legitimate and widely used open-source web server nginx. It can be used to steal usernames, passwords, and session tokens, and it offers attackers a way to bypass multi-factor authentication (MFA).

Advertising

How Evilginx works

At its core, Evilginx leverages the legitimate and popular nginx web server to route web traffic through malicious websites. These websites are created by threat actors to mimic real services like Microsoft 365—a process known as an adversary-in-the-middle (AitM) attack. To demonstrate this attack tactic, Sophos X-Ops set up a malicious domain and a Microsoft phishlet with its own subdomain. The phishlet contains a decoy that the targeted user sees when the cybercriminals attempt to intercept usernames and passwords.

The forms and images the user sees actually originate from Microsoft and are forwarded to the user via the Evilginx server. However, Evilginx offers the ability to configure the user experience in the backend. In tests, Sophos X-Ops mimicked an MFA-protected user account and was able to bypass this hurdle immediately. The user experiences a "normal" login. Only when a particularly attentive user clicks on one of the applications on the left side of the screen might they notice something strange, as they are prompted to log in again.

Advertising

Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month



By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy Policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.

CleverReach

This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Intercepting passwords, session tokens and cookies

In addition to intercepting usernames and passwords, session tokens are also captured. This is possible if the attacker selects the "Stay signed in" option when the Microsoft prompt appears. Evilginx stores this data in a database containing information about each session—including the public IP address used to access the server, the user agent used, and—most importantly—the cookie. This allows the attacker to simply open a window on the legitimate login page and import the cookie to log in as a legitimate user. From here, cybercriminals have full access to the user's mailbox account. Once the account is accessed, cybercriminals can reset MFA devices, change passwords, and perform a variety of other actions to gain advanced account access.

This is how you can protect yourself

To counter the danger of an Evilginx attack, two preventive and reactive measures are suitable.

As part of a reactive countermeasure, the first step should be to revoke the threat actor's access and completely close the door. This involves revoking all sessions and tokens across Entra ID and Microsoft 365 to remove the access gained. These actions can be performed in the user account in both Entra ID and Microsoft 365 using the "Revoke Sessions" and "Sign Out of All Sessions" buttons.

Next, the user's passwords and MFA devices need to be reset. Depending on the type of MFA device added, this may allow passwordless access to the account, rendering password changes and session removal ineffective.

Danger recognized, but not completely averted

Evilginx represents a formidable criminal method for bypassing MFA and compromising credentials. The existence of Evilginx also ensures that a complex attack technique is relatively easy to deploy, which could lead to widespread adoption. However, with the mitigations described, users have a good opportunity to significantly limit the success of an attack.

More at Sophos.com

 

About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.

 

Matching articles on the topic

MITRE CVE program remains in place for the time being

The CVE program, funded by the US government, is considered a crucial component in the global detection of software flaws. Now, funding is to be temporarily suspended. ➡ Read more

LockBit leak site hacked and data stolen

Now LockBit has also become the victim of another hacker: It seems that not only the leak page of the group was hacked, but ➡ Read more

F5 BIG-IP: BSI warns of highly dangerous vulnerabilities

The BSI has issued a warning about F5 products, as they contain several highly dangerous security vulnerabilities that should be closed. The BIG-IP ➡ Read more

Maximum IT security for OT systems

OT systems are rarely attacked directly. However, gaps and vulnerabilities in traditional IT make OT systems more vulnerable to attacks. ➡ Read more

Iran, North Korea, Russia: State hackers rely on ClickFix 

State-sponsored hacker groups are increasingly adopting new social engineering techniques originally developed by commercially motivated cybercriminals. ClickFix, for example, is now increasingly ➡ Read more

TA4557: Venom Spider targets HR departments

TA4557, better known as Venom Spider, is increasingly exploiting phishing and trying to deploy its backdoor malware. The focus of the ➡ Read more

Oettinger Brewery attacked by ransomware

The APT group Ransomhouse claims to have successfully attacked the German brewery Oettinger with ransomware. On the APT group's leak page ➡ Read more

Healthcare facilities: 90 percent are at high risk

The current report “State of CPS Security: Healthcare Exposures 2025” shows the most dangerous vulnerabilities of medical devices in networks of ➡ Read more

Short news, Sophos
, , , , ,