Technical

Why Multi-Factor Authentication is Not Enough

Authored by Ian Lin, Director of Research and Development at Packetlabs.

All too often, Packetlabs is requested to assess only its external perimeter and evaluate its security posture based on what we can see and penetrate. This isn’t a problem for us, but it reflects a mindset that assumes professional ethical hackers won’t be able to breach an organization’s perimeter. With enough effort and time, this becomes an eventuality.

“There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, former Director of the FBI.

This quote means that it is inevitable for threat groups who are highly motivated to gain the access they need to accomplish mission objectives. No matter how robust your defenses are, a determined and moderately skilled threat actor will eventually find a way into your environment, given enough time and resources.

In a company of 100 employees, even a modest 5% click rate on phishing emails means that, on average, 5 people could fall victim in every campaign. Part of the challenge is showing that public tooling, often with minimal work, will show that a successful phishing attempt is inevitable. 

A Software Developer’s Response to MFA: Evilginx

On April 6, 2017, the brainchild of Kuba Gretzky dropped a release of the popular Evilginx framework. Ever since then, researchers, ethical hackers, and threat groups have been having success against organizations with multi-factor authentication configured. This project has been pushing organizations like Microsoft and other software companies to innovate and improve their products against sophisticated actors who build custom applications to circumvent security measures like multi-factor authentication. 

Since then, the developer has continuously supported and improved the project. With its advent into the commercial software space, users of the PRO version would likely gain more success against some of the signatures that have been traditionally used by browsers (e.g. chrome safe browsing enhanced protection).

What is Evilginx2?

Evilginx2 is a phishing framework and development toolkit designed for performing "man-in-the-middle" (MITM) attacks against authentication mechanisms used in web applications. It is an advanced phishing tool that can intercept and manipulate authentication sessions, allowing attackers to steal credentials and other sensitive information from users. This toolkit and framework centers its core functionality around these four features:

  • Phishing Capabilities: Evilginx2 creates convincing phishing pages that mimic legitimate websites' login portals. It can replicate the appearance and functionality of popular identity and email services like AWS, Okta, Microsoft, and Google.

  • Session Hijacking: Once a victim enters their login credentials on the phishing page, Evilginx2 intercepts them before forwarding them to the legitimate service's login system. This allows the attacker to capture the victim's username, password, and other session tokens.

  • 2FA Bypass: Evilginx2 can also capture and use two-factor authentication (2FA) tokens in real time, allowing attackers to bypass this additional security measure in some cases. This is particularly dangerous because it enables attackers to gain access even if the victim has 2FA enabled.

  • Configurability: The tool is highly configurable, allowing attackers to customize phishing pages, control how intercepted data is stored or relayed, and set up redirects to the legitimate site after successful phishing attempts to avoid suspicion.

In summary, Evilginx2 is a powerful tool that demonstrates the vulnerabilities inherent in authentication processes on the web. Its existence underscores the ongoing challenge of defending against sophisticated phishing attacks and reinforces the need for robust security measures and user awareness. The custom implementations that Packetlabs has made in red team campaigns allow defenders and organizations to understand the impacts of access past the email inbox and demonstrate the impact of reverse proxy phishing.

Take the following scenario: Victims of a spear-phishing attack are sent phishing emails attempting to coerce users to authenticate to an attacker-controlled domain that is hosting an instance of Evilginx2. Each request to the attacker’s domain is forwarded to the provider’s login page. Subsequently, the response from each forwarded request is returned to the attacker’s domain. This results in a seamless and realistic login experience from the victim’s perspective. A victim with multi-factor authentication (MFA) enabled will be prompted to provide their token. It’s important to note that this process is dynamic and the prompt for MFA can vary based on account configuration.

Evilgenix

Navigating to an Evilginx2 instance on an attacker’s domain reveals the web page below. Entering false credentials will result in an error, as any other legitimate provider’s portal. 

Evilgenix2

Performing authentication will submit the request to the legitimate O365 portal (through the attacker’s domain) and return a multi-factor authentication prompt if enabled.

Evilgenix3

Upon entering the MFA code, Evilginx2 will capture all authentication information, including the session cookies. This can enable an attacker to hijack a session by importing the cookies into their web browser. This is an example output capture that contains a variety of data that was passed from the victim, through the attacker’s domain, and to the legitimate provider. In this case, each cookie from the login.microsoftonline.com domain was captured.

Evilginix4

Using browser developer tools or browser extensions such as “Cookie-Editor” can allow a user to import a list of cookies in JSON format.

Evilginix5

Once completed, the attacker can refresh their browser on the login.microsoftonline.com page to gain unrestricted access to the account. It is important to note that this toolkit offers the capability to simulate realistic landing pages and capture cookies, effectively bypassing traditional forms of multi-factor authentication. This includes, but is not limited to, Microsoft Authenticator (Approval / Code) and SMS.

Evilgenix6

Microsoft Defenses vs. Evilginx2

One of Microsoft’s practices is often hiding its security features behind premium licenses. This practice hinders the security of customers using Microsoft identity platforms. Many of the countermeasures against reverse proxy phishing are contained within Microsoft Entra ID P1 or EMS E3. 

If the entry way to your organization’s Microsoft applications is behind a username and password, we urge them to mandate multi-factor authentication. Understanding that multi-factor authentication is not a full-stop solution for attackers attempting to gain access, it is one of the first steps in building defense in depth, as security is built in layers. Attached below is a table for reference for configurations that help in reducing the effectiveness of the Evilginx2 framework:

Configuration

Required License

Supplemental

CAP via IPs

Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5/F3

Conditional access policies are effective because the origin IP of the Evilginx2 framework is used instead of the user’s originating IP

Device Enrollment

Intune or EMS E3/E5 or Microsoft 365 E3/E5/F1/F3

The origin device from the attacker is not enrolled in the organization’s Intune; therefore, it will fail a compliance check

Certificate-Based Authentication

Microsoft Entra ID P1 and Microsoft Defender for Cloud Apps or EMS E5

Authentication tokens for office.com will be captured, but Microsoft applications will be denied due to Microsoft Defender for Cloud Apps access policies

FIDO or Universal 2nd Factor

Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5

The generated key challenge will be invalid when a phishing domain is used as one of the components instead of the legitimate domain name. An example would be Windows Hello.

Entra Hybrid Join

Microsoft Entra ID P1 or EMS E3/E5 or Microsoft 365 E3/E5

A similar caveat for device enrollment is that the originating reverse proxy is presented rather than the hybrid joined device.

Conclusion

In today’s evolving threat landscape, multi-factor authentication (MFA), while essential, is no longer sufficient to deter attackers from gaining initial access. Sophisticated threat actors, information security professionals, and hobbyists continually develop tactics to bypass or exploit the MFA process. This underscores the need for a more comprehensive, layered security approach incorporating additional safeguards such as continuous monitoring, layered defense, and proactive response.

By combining these measures, organizations can build a resilient defense that addresses weaknesses in identity and helps prevent breaches before they occur.

Let's Connect

Share your details, and a member of our team will be in touch soon.

Featured Posts

See All
Packetlabs: One of the Top 5 Best Penetration Testing Companies

December 25 - Blog

Packetlabs: One of the Top 5 Best Penetration Testing Companies

It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104