Man-in-the-Middle: Bypassing Microsoft 365 MFA with evilginx

Man-in-the-Middle

Bypassing Microsoft 365 MFA with evilginx

LIVE EVENT:

09 March, 2023

4 p.m. GMT

Reserve your spot

AttackSims_EmailIllustration_Man-in-the-Middle-Evilginx

Our incident response team continues to see adversaries use man-in-the-middle attacks to bypass MFA and access critical data; the targets range from rideshare applications to billion-dollar-gaming companies.

In our latest episode of Varonis Attack Sims, security analyst Ed Lin will perform an attack with evilginx to steal data from Microsoft 365, then show you how to use DatAlert to detect and respond. You’ll even get a chance to check out Varonis for Microsoft 365.

How the attack works:

We trick a user into entering creds into our fake M365 login page (made with evilginx)
We request Microsoft send a passcode to the user’s phone
The user then enters their passcode on OUR fake page
We hijack the user’s session token
From there, we gain access to SharePoint Online environment and exfiltrate data from M365
We pivot to on-prem and steal the CEO’s emails (because why not??)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Brock Bauer

Brock Bauer is a Security Architect from the Incident Response Team at Varonis. He helps our customers achieve their security goals through the Varonis platform by enabling them to detect and respond to threats, reduce their attack surface, and mature their security programs. Brock has a background in Enterprise IT Infrastructure and Computer Science and has worn many technological hats as a helpdesk technician, server admin, analyst, engineer, and architect. Besides cybersecurity, Brock also enjoys the outdoors, video games, reading, and the gym.

Man-in-the-Middle

Bypassing Microsoft 365 MFA with evilginx

Register now