Man-in-the-Middle: Bypassing Microsoft 365 MFA with evilginx

Man-in-the-Middle

Bypassing Microsoft 365 MFA with evilginx

LIVE EVENT:

October 19, 2022

12 p.m. ET

Reserve your spot

AttackSims_EmailIllustration_Man-in-the-Middle-Evilginx

Our incident response team continues to see adversaries use man-in-the-middle attacks to bypass MFA and access critical data; the targets range from rideshare applications to billion-dollar-gaming companies.

In our latest episode of Varonis Attack Sims, security analyst Kyle Roth will perform an attack with evilginx to steal data from Microsoft 365, then show you how to use DatAlert to detect and respond. You’ll even get a chance to check out Varonis for Microsoft 365.

How the attack works:

We trick a user into entering creds into our fake M365 login page (made with evilginx)
We request Microsoft send a passcode to the user’s phone
The user then enters their passcode on OUR fake page
We hijack the user’s session token
From there, we gain access to SharePoint Online environment and exfiltrate data from M365
We pivot to on-prem and steal the CEO’s emails (because why not??)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Kyle Roth

Kyle Roth is a Security Analyst with the Varonis Incident Response Team that is dedicated to first-line incident response and implementation of proactive security measures for Varonis customers. His interests and experience include detection and response, security research, forensic analysis, machine learning and automation, and social engineering. His professional background includes several years of experience with the Department of Defense and critical infrastructure.

Man-in-the-Middle

Bypassing Microsoft 365 MFA with evilginx

Register now