Okay, let’s start with a disclaimer. This post is created for educational purposes and mainly focuses on red and blue teamers to protect their Microsoft 365 tenants. That being said, Evilginx can be used for all cloud services. Do not use Evilginx for nasty and illegal stuff. I won’t help to fix your Facebook, Instagram, and TikTok phishlets. Feel free to reach out for security tips on Microsoft 365 / Entra ID.
This post will grow over time. If you have anything to add, please reach out to me so I can add it. The goal is to have a single page with the best public resources around Evilginx, focusing mainly on Microsoft 365.
1. Know your stuff
First and foremost, it’s crucial to understand the Evilginx framework deeply. When I started using this tool years ago, I copied and pasted work from others until it worked, without knowing what I did. When my phishlet stopped working (it does from time to time), I could not fix it myself.
So what changed? I learned from the master Kuba Gretzky himself! Kuba recently launched the Evilginx Mastery, and that really helped me understand the framework inside and out. I won’t go into too much detail about the course, but these are the main things I learned:
- Getting Evilginx running on my local Windows machine so I can easily develop and test
- How to build my own phishlets from scratch
- How to maintain and improve my phishlets
- How to do JS injection, forcing POST parameters, and replacing context
- How to deploy Evilginx on a remote server
- How to set up phishing campaigns
I would really recommend checking out the course so you’ll have a deep understanding of the framework. Warning: it can do epic stuff and is constantly improving.
Other resources to get started
I Stole a Microsoft 365 Account. Here’s How. – YouTube by John Hammond
Evilginx for Office 365 step-by-step guide – YouTube by Jan Bakker
ED91 – Office365 Phishing and Bypassing Azure MFA Protection – YouTube by Jarno Baselier
Introduction | Evilginx by Kuba Gretzky
There are a lot of phishlets out there for Microsoft 365. Some still work, some don’t. Here is a list of the most recent phishlets that are also actively maintained.
4. Red-team tips
How to protect Evilginx using Cloudflare and HTML Obfuscation (jackphilipbutton.com) by Jack Button
How To: Evilginx + BITB | Browser In The Browser without iframes in 2024 – YouTube and waelmas/frameless-bitb: A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. (github.com) by Wael Masri
Stop hackers from stealing your Microsoft 365 user’s passwords – YouTube by Merill Fernando
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition) (jeffreyappel.nl) by Jeffrey Appel
https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks by Luke Kavanagh
Enforce phishing-resistant authentication in Microsoft 365 by Microsoft Learn
Token protection/binding in Entra ID by Microsoft Learn
Defending against the Attack of the Clone[d website]s! – Thinkst Thoughts by Jacob Torrey
Using honeytokens to detect (AiTM) phishing attacks on your Microsoft 365 tenant – Zolder B.V. by Wesley Neelen