About “Office 365 Man-in-the-Middle Attack Demo”
Presented By Ryan O'Boyle Ryan O'Boyle

Our incident response team is seeing an uptick in adversaries using a very tricky man-in-the-middle attack to bypass MFA and breach Office 365 tenants.

Here’s an outline of how the attack works:

  • We trick a user into entering creds into our fake O365 login page (made with evilginx)
  • We make Microsoft send a passcode to the user’s phone
  • User enters their passcode on OUR fake page
  • We hijack the user’s session token
  • Gain access to SharePoint Online environment
  • Exfiltrate data from O365
  • Pivot to on-prem and steal CEO’s emails (because why not?)
Request Your Own Data Risk Assessment