how to use Evilginx2 to grab session tokens and bypass Multi-factor authentication

Evilginx2 with o365 phishlet enabled

Today I want to show you a demo that I recorded on how you can use the amazing tool Evilginx2 (by Kuba Gretzky) to bypass Multi-Factor Authentication (MFA). In the demo I used Evilginx on a live Microsoft 365/Office 365 environment but It can be used on almost any site that doesn’t use a more safe MFA solution such as FIDO2 security keys, certificate based authentication or stuff like Windows Hello for Business.

The reason why I recorded the video was to have a video demonstration to show friends and colleagues that keep thinking that MFA is the universal solution to all worlds problems. I want to demonstrate that there are no bulletproof solutions and that we need to think about security everywhere in all layers.

Link to the video:

Like I said in the video the demo was on a Microsoft 365 environment but Evilginx2 works for most sites out there. It works on all Microsoft 365 environments by default but it can be prevented with Microsofts security feature Conditional Access. To prevent it you can for example configure your environment to only allow logins from enrolled/domain joined devices. I highly recommend you doing that.

The tool is easy to install, just follow the installation instructions in the github project. You may have to do some modifications to the .yaml-files for the phishlets since companies like Microsoft make some changes from time to time. I had to do it for this demo and if you have to do it I recommend you to just analyze the login process step-by-step with a tool like Burp Suite to check which cookies you need to grab and so on. There is a great wiki-page in the Github project so you can see how you should configure your phishlets. Thanks

You should of course not use Evilginx2 anywhere without permission since that is illegal in most countries. Only use it in locked down demo environments or in penetration testing scenarios where you have written permission from the client.

If you have any questions, feel free to contact me on twitter @tzusec.

// Rickard Carlsson

What is DKIM and how do you enable IT in Microsoft 365?

What is DKIM?

DKIM stands for DomainKeys Identified Mail and is an email autentication method. It helps the receiving mail server to verify whether an email have been sent from an allowed email server or not.

The idea of DKIM is that the senders email servers are signing all outgoing messages with asymmetric encryption. The receiving email servers can then easily verify the email signing with help of the senders public key that are being stored in the sending domains DNS.

If users would need to manually sign messages and manually verify all messages it would be a pain in the ass for them and no one would use it. Nowadays most modern email systems have built-in support for DKIM to make the process smooth and automated.

How to enable DKIM?

The implementation of DKIM is different for different vendors but the idea is the same. The senders generates a asymmetric key pair and signs all outgoing emails. The receiver of the email can use the senders public key to verify that the email were signed by the correct server. Microsofts email cloud service Exchange Online is very popular so I will now describe how you can enable DKIM signing in Microsoft 365.

Enable DKIM signing in Microsoft 365

Microsoft 365 have built-in support for DKIM signing. This guide will show you how easy it is to enable and configure.

  1. Step one is to browse and login to the following site: https://security.microsoft.com/dkimv2
  2. You will now see an overview of all of your accepted domains of your tenant, click on the domain you want to enable DKIM for:

  3. Press “Sign messages for this domain with DKIM signatures”

  4. You will now get a pop-up windows which instructs you to create two CNAME post in your DNS. Copy these instructions and login to your DNS provider
  5. Create and publish the two CNAME posts in you DNS based on the instructions, usually it is by the following format:
    1. Selector 1
      • Name: selector1._domainkey
      • Type: CNAME
      • Value: selector1-<customDomainIdentifier>._domainkey.<initialDomain>
        • Example: selector1-tzusec-com._domainkey.tzusec.onmicrosoft.com
      • TTL: 3600
    2. Selector 2
      • Name: selector2._domainkey
      • Type: CNAME
      • Value: selector2-<customDomainIdentifier>._domainkey.<initialDomain>
        • Example: selector2-tzusec-com._domainkey.tzusec.onmicrosoft.com
      • TTL: 3600
  6. When the post have been published go back to the DKIM page in Microsoft 365 and press “Sign messages for this domain with DKIM signatures” again.
  7. When Microsoft have verified that the CNAME posts are correct signing will be enabled and you have successfully enabled DKIM signing for all of your outgoing emails, great job!

The next step is to verify that the signing works correctly and you can do that manually by inspecting the headers of an email sent from the email server. I will describe how you can do that in a future blog. Feel free to contact me on twitter if you have any questions.

// Rickard Carlsson

Copyright © 2022