Evilginx2 + AiTM Phishing: How Modern Attacks Defeat MFA

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 25, 2026
3 min read

Last updated: April 26, 2026

Adversary-in-the-Middle (AiTM) phishing — using tools like Evilginx2 — defeats traditional MFA by capturing both credentials and session cookies during the auth flow. AiTM-driven account takeover is the dominant phishing technique against Indian enterprise in 2024-2026, especially against M365 / Google Workspace targets. This article covers how AiTM works, how to detect it, and the defences that actually stop it (FIDO2, conditional access, session-binding).

How AiTM phishing works

Traditional phishing harvests credentials. The attacker submits them later. Modern MFA (TOTP, push) blocks this — attacker needs the second factor.

AiTM solves this by proxying the entire auth flow:

  1. Attacker stands up a phishing page that proxies in real time to legitimate target (login.microsoftonline.com, accounts.google.com)
  2. Victim visits attacker’s phishing URL, enters credentials
  3. Phishing proxy forwards credentials to legitimate IdP, gets back MFA prompt
  4. Victim sees the MFA prompt (genuinely from their IdP) and approves
  5. IdP issues session cookie to phishing proxy
  6. Attacker captures the session cookie and replays it to access the user’s account — without ever needing MFA themselves

Tools: Evilginx2 (open source), Modlishka, EvilProxy, Tycoon (commercial AiTM-as-a-service).

Why MFA didn’t save us

The attacker doesn’t bypass MFA — they let the victim complete it. The victim’s MFA approval gives the IdP confidence to issue the session cookie. The session cookie is what the attacker steals. From there, the attacker uses the cookie directly; no further auth required for the cookie’s lifetime.

Detection — what works

  • Impossible-travel detection — session cookie in use from two distant locations. Most IdPs (Entra, Google, Okta) flag this. Sometimes too slow to prevent harm but useful for forensic review.
  • Geo-IP anomaly — login from countries the user has never visited.
  • Sign-in risk scoring — Entra ID’s sign-in risk includes AiTM indicators (unfamiliar IP, unfamiliar user agent, anonymous proxy).
  • URL filtering — phishing URLs hosted on look-alike domains. Block at email gateway, DNS firewall, browser policies.
  • Email security with link-rewriting — Microsoft Defender, Mimecast, Proofpoint all detonate links in sandboxes. Some catch AiTM by scanning the destination’s behaviour.

The actual fixes

1. FIDO2 / passkeys

FIDO2 binds the authentication ceremony to the legitimate origin (specifically the destination URL via WebAuthn). When the victim’s FIDO2 key is asked to authenticate to microsoftonline.com, it produces a credential bound to that origin. The attacker’s phishing proxy on login.microsoftonline.attacker.com never receives a valid credential because the origin doesn’t match.

FIDO2 is the only durable AiTM defence. Roll it out for administrators first; users second.

2. Conditional access binding

Entra ID Conditional Access policies that require:

  • Compliant device + MFA for sensitive resources
  • Geo-fence to expected countries
  • Block legacy authentication entirely
  • Require re-authentication for high-risk sign-ins

Even if AiTM captures a session cookie, replaying it from a non-compliant device fails CA policy.

3. Token Protection (Entra) / equivalent

New feature in Entra ID — binds the issued session token to the device that performed the auth. Replaying the token from a different device fails. Microsoft is rolling out broadly through 2024-25.

4. Short session lifetimes

Reduce session token lifetime from days to hours. Forces re-auth more frequently. Trade-off: user friction, but AiTM stolen cookies have shorter exploit window.

The phishing kit ecosystem

Evilginx2 is the open-source baseline. Commercial AiTM-as-a-service (Tycoon, EvilProxy, Greatness) sells phishing kits with pre-configured M365 and Google templates, evasion features, and operator dashboards. Subscription pricing $250-$1000/month. Used heavily in the Indian threat landscape against fintech and BFSI customer-facing portals.

Defender priorities

  1. Roll out FIDO2 — administrators first, all users within 12 months
  2. Deploy Conditional Access with device-compliance + geo-fence
  3. Enable Token Protection where available
  4. Email security with link detonation
  5. Phishing-awareness training with AiTM-specific content (training that teaches “look at the URL” is partially obsolete; training that teaches “use FIDO” is durable)
  6. SIEM rules for impossible travel, anonymous-proxy authentication, sign-in risk anomalies

Compliance angle

  • RBI Cyber Framework — phishing-resistant MFA expectations growing
  • SEBI CSCRF — Q-RE / MII admin authentication should be phishing-resistant
  • DPDP §8(5) — accounts protected only by SMS/TOTP MFA fail modern reasonable-security tests

The takeaway

AiTM phishing made traditional MFA insufficient. FIDO2 / passkeys are the durable defence. Roll them out faster than AiTM kits can compromise your administrative accounts. The next 18 months are critical — organisations on FIDO2 are safe; organisations still on TOTP/SMS will see AiTM-driven breaches.

Need a real pentest?

Get a VAPT scoping call

Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.

Book VAPT scoping call Replies in 4 working hrs · India-only · Senior consultants