evilginx2 even automates this process using the Let’s Encrypt certificate service. The phishing website is hosted on some domain the attacker has complete control over, so it is easy to get a valid certificate. Together with Modlishka it was one of the first, easy to use reverse proxies, that demonstrated that a second factor alone does not protect the user from being phished.īoth projects do not attempt to fool the user with a website that looks almost like the original login website, they use reverse proxy techniques to forward the actual login website (e.g. This is the official description on the evilginx2 GitHub page. Meet evilginx2Įvilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. As always, seeing is believing and I always learn best when tinkering myself. Why this is the case is best explored using one of the freely available phishing toolkits.
It is very important to know that only three methods mentioned protect your users against phishing attacks. SMS sign-in on the other hand is currently not supported with the requirement for a second factor. Please note that for Passwordless phone sign-in, Windows Hello for Business and FIDO2 security keys you cannot enforce a second factor since those methods are considered strong authentication methods. Multi-factor authenticationįor multi-factor authentication you can use any of the following methods. Using conditional access you can further protect the accounts, enforcing the need for a second factor, device compliance, location based restrictions and many more configuration options.
0 kommentar(er)
