Evilginx AiTM Attack Captures Microsoft Cred Credentials Tokens

Microsoft users are currently facing a significant and growing threat from targeted phishing attacks. These campaigns leverage highly sophisticated tools, most notably Evilginx, which employs an adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication and capture sensitive credentials and session tokens.

Security researchers have documented how Evilginx, an adversary-in-the-middle framework, is being used to silently intercept Microsoft login sessions, stealing usernames, passwords, MFA tokens, and authenticated session cookies all at once.

What makes this threat especially alarming is that even users who follow best practices and enable multi-factor authentication are not fully protected from it.

Most people believe that turning on MFA is enough to keep their accounts safe. That assumption is now being put to the test in a very real way.

Evilginx works by placing itself between the user and the real Microsoft login page, acting as a transparent relay that the victim never suspects.

Every piece of data exchanged during the login process, including the MFA approval, passes right through the attacker’s server before reaching its destination.

Analysts at NetSPI documented a real-world engagement where this technique was put into practice against a corporate executive team.

NetSPI said in a report shared with Cyber Security News (CSN) that researchers registered a lookalike domain and pointed an Evilginx server directly at the client’s live Microsoft login flow.

The attack was carefully wrapped inside a social engineering scenario, making it even harder for targets to detect anything was wrong.

The outcome was a clear demonstration of how dangerous this combination can be. Once a target clicked the phishing link and completed their Microsoft login, including approving the MFA prompt, Evilginx had already captured the authenticated session cookie.

With that cookie in hand, an attacker can replay the session from any device, anywhere in the world, without needing the victim’s password or MFA code ever again.

What followed next in the NetSPI case surprised even the researchers themselves. One executive, believing he was managing a potential company crisis, forwarded the phishing link to two external contracting firms.

In a single, unintended move, a targeted attack against one organization was on the verge of becoming a multi-company breach. The session was terminated immediately to prevent out-of-scope credential captures, but the lesson was impossible to ignore.

Evilginx AiTM Attack

Evilginx is built on top of the widely used nginx web server and is designed to proxy web traffic through attacker-controlled fake sites in real time.

When a victim visits a phishing URL, they are shown an exact replica of the real Microsoft login page, because it actually is the real page being mirrored live.

The user enters their credentials and approves their MFA request, completely unaware that every exchange is being captured on the attacker’s server.

The attacker receives the username, password, and the live session cookie the moment authentication completes. That session cookie is the real prize, since it tells Microsoft’s servers that a valid login already took place.

An attacker can import it into any browser and gain full account access without triggering another MFA challenge, which is what makes AiTM attacks fundamentally different from traditional phishing attempts.

Protecting Against Session Hijacking

Defending against Evilginx-style attacks requires a layered approach that goes well beyond standard MFA.

NetSPI and other researchers recommend deploying phishing-resistant authentication such as FIDO2 hardware keys or passkeys, which use domain binding to block proxy-based interception entirely.

These are currently the only MFA types that can stop an AiTM attack at the authentication stage itself.

Organizations should also enable Token Protection in Microsoft Entra ID Conditional Access, which binds session tokens to the specific device they were originally issued on, making stolen cookies useless when replayed from a different machine.

Security teams are urged to monitor sign-in logs for tokens being used from new IP addresses or locations that differ from where they were first issued.

Establishing clear policies for how employees handle unsolicited external communications, especially anything directing them to internal login pages, is also a critical step in reducing exposure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.