Okay, let’s start with a disclaimer. This post is created for educational purposes and mainly focuses on red and blue teamers to protect their Microsoft 365 tenants. That being said, Evilginx can be used for all cloud services. Do not use Evilginx for nasty and illegal stuff. I won’t help to fix your Facebook, Instagram, and TikTok phishlets. Feel free to reach out for security tips on Microsoft 365 / Entra ID.
This post will grow over time. If you have anything to add, please reach out to me so I can add it. The goal is to have a single page with the best public resources around Evilginx, focusing mainly on Microsoft 365.
1. Know your stuff
First and foremost, it’s crucial to understand the Evilginx framework deeply. When I started using this tool years ago, I copied and pasted work from others until it worked, without knowing what I did. When my phishlet stopped working (it does from time to time), I could not fix it myself.
So what changed? I learned from the master Kuba Gretzky himself! Kuba recently launched the Evilginx Mastery, and that really helped me understand the framework inside and out. I won’t go into too much detail about the course, but these are the main things I learned:
- Getting Evilginx running on my local Windows machine so I can easily develop and test
- How to build my own phishlets from scratch
- How to maintain and improve my phishlets
- How to do JS injection, forcing POST parameters, and replacing context
- How to deploy Evilginx on a remote server
- How to set up phishing campaigns
I would really recommend checking out the course so you’ll have a deep understanding of the framework. Warning: it can do epic stuff and is constantly improving.
Use this 50% discount code at the checkout: BLACKFRIDAY
If you’re on a tighter budget, I recommend the Evilginx Professional Masterclass (2024) course from Simpler.
https://www.simplerhacking.com/?ref=186519
Other resources to get started
I Stole a Microsoft 365 Account. Here’s How. – YouTube by John Hammond
Evilginx for Office 365 step-by-step guide – YouTube by Jan Bakker
ED91 – Office365 Phishing and Bypassing Azure MFA Protection – YouTube by Jarno Baselier
Introduction | Evilginx by Kuba Gretzky
2. Phishlets
There are a lot of phishlets out there for Microsoft 365. Some still work, some don’t. Here is a list of the most recent phishlets that are also actively maintained.
Microsoft 365
Microsoft 365 for ADFS (created by Daniel Underhay)
3. Installation
Evilginx can be set up locally and on a remote server.
Running Evilginx 3.0 on Windows – JanBakker.tech
Here’s a cool batch script from Daniel Underhay that will automate your installation on Linux.
Need a VPS? Get yourself a droplet at DigitalOcean for only a few bucks per month!
Need a phishy domain? Get yourself a new domain at Namecheap!
4. Red-team tips
How to protect Evilginx using Cloudflare and HTML Obfuscation (jackphilipbutton.com) by Jack Button
How To: Evilginx + BITB | Browser In The Browser without iframes in 2024 – YouTube and waelmas/frameless-bitb: A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. (github.com) by Wael Masri
5. Defending
Stop hackers from stealing your Microsoft 365 user’s passwords – YouTube by Merill Fernando
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition) (jeffreyappel.nl) by Jeffrey Appel
https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks by Luke Kavanagh
Enforce phishing-resistant authentication in Microsoft 365 by Microsoft Learn
Token protection/binding in Entra ID by Microsoft Learn
6. Detecting
Defending against the Attack of the Clone[d website]s! – Thinkst Thoughts by Jacob Torrey
Using honeytokens to detect (AiTM) phishing attacks on your Microsoft 365 tenant – Zolder B.V. by Wesley Neelen
7. The next big thing: passkeys
First look: Microsoft Authenticator goes phishing resistant with passkeys (2 min demo) – YouTube
Get started with passkeys in Microsoft 365 – JanBakker.tech
Pingback: Prevent AiTM with Microsoft Entra Global Secure Access and Conditional Access - JanBakker.tech
Pingback: Bitb – ein neuer Ansatz zum Browser im Browser (BITB) ohne die Verwendung von Iframes, der die Umgehung traditioneller Framebuster ermöglicht, die von Anmeldeseiten wie Microsoft implementiert werden, und die Verwendung mit Evilginx - IT-Live-Blog