Lessons Learned from an Evilginx Phishing Attack

Lessons Learned from an Evilginx Phishing Attack
Photo by Tech Nick / Unsplash

Introduction + What Happened

A common message I hear from our customers is that I am too small to be targeted... Well, let me tell you that hackers, attackers, whatever you want to call them, DO NOT CARE how big or small you are. They are attacking you because you are a potential source of revenue or disruption to your business.

This is exactly what happened to us - we are a small IT MSP with 25 users, and we understand the importance of security and education so we do a lot of security-based training for our end users. We teach our users about phishing and how to recognise a phishing email. However, one of our internal users fell victim to the email, which came from one of our partners, where their mailbox was compromised, and the attacker sent an email to one of our internal users.

Looking at the email it 100% looked genuine, it was from a partner that he recognised and read like it was genuine. It was an email saying that the partner had attempted to get in touch but could not get hold of him, and there was a Teams voicemail waiting for him to listen to. All sounds plausible, and the user clicked the link, which then presented this page:

From the user's perspective, this looks legitimate. Subsequently, the user enters their username and password and completes MFA by using the M365 authenticator app and entering the code presented on the screen. At this point, they are not presented with a blank page, and they think nothing more of it.

Now, what they don't realise is that their M365 credentials have just been phished 🎣! This was more than likely done by a tool called Evilginx, a phishing technique that can bypass traditional security measures, including two-factor authentication. So, in this article, I am sharing the lessons I/we learned and what we did to try and prevent this from happening again.

Investigation and Response

Detection

Now, we didn't receive any alerts regarding impossible travel - the attacker's IP was coming from somewhere in South America. Now, this doesn't really matter, as they could have been using a VPN to mask their real IP, so whatever. At this point we don't have Entra ID P2, so we don't get any emails or alerts regarding impossible travel.

Now, the attacker had phished the user a week before sending a mass email to everyone on the user's contact list. We can tell from the M365 logs that the attacker immediately registered their own phone with MFA so that they could continue to access the user account after they phished the credentials and MFA session token. So after a week, the first I knew something untoward was happening was when I received this email from M365:

I immediately dropped everything I was doing and disabled the user's account. We have a rule in M365 that prevents mass email sending (hence the above alert), but unfortunately, it didn't catch everything, so some of our customers and partners received the email.

Containment and Recovery

We acted swiftly to contain the breach. Immediate steps included:

  • We used a tool called CIPP (which we are HUGE fans of) to perform a BEC (Business Email Compromise) remediation, which does the following in one simple step:
  • We also conducted a thorough review of access logs to identify any further unauthorized activities. Thankfully the attacker didn't do anything else other than send the email - no data was exfiltrated, and no data was lost

Lessons Learned

Awareness of Advanced Phishing Techniques

This incident highlighted that even well-trained users can fall victim to advanced phishing attacks. Traditional security training often focuses on generic threats and may not cover sophisticated techniques like those employed by EvilGinx.

Importance of Continuous Education

We recognized the need for ongoing cybersecurity training that evolves with emerging threats. Regular updates and refreshers can help keep security top-of-mind and equip our team with the knowledge to recognize and avoid advanced phishing attempts.

Enhancing Security Measures

Relying solely on passwords and two-factor authentication is no longer sufficient. Attackers are finding ways to circumvent these measures, so we must adopt stronger, more resilient security protocols.

Preventative Measures

We have since taken the following actions:

  • We have deployed several new conditional access policies which check for things like device compliance. This means that even if the attacker has the username, password and MFA session token, they won't be able to access any of our corporate resources as their workstation won't be marked as compliant and should instantly deny access
  • We have deployed Entra ID P2 across all of our users and also created some conditional access policies that make use of the risk profiles around risky users and risky sign-ins
  • We have connected an MDR with M365 security monitoring capabilities, so we will now instantly receive security alerts. We have also double-checked that the notifications are set up correctly in M365 to ensure that we don't miss anything!
  • We have started testing phishing-resistant MFA using the Microsoft Authenticator app (which, at the time of writing this article, is currently in preview):
How to enable passkeys in Microsoft Authenticator for Microsoft Entra ID (preview) - Microsoft Entra ID
Learn about how to enable passkeys in Microsoft Authenticator for Microsoft Entra ID.
  • But we are also testing phishing-resistant MFA with YubiKeys

Additionally, we need to ensure that our users are consistently aware of evolving phishing attacks that look increasingly genuine. One of the things that I learned was that we need to do more phishing attack simulations using platforms like BullPhish or GoPhish.

The DEV that wrote Evilginx, has also forked GoPhish so that you can directly see which users go through the whole authentication cycle, whether it be M365 or some other platform that you want to train your users against:

GitHub - kgretzky/gophish: Open-Source Phishing Toolkit
Open-Source Phishing Toolkit. Contribute to kgretzky/gophish development by creating an account on GitHub.

Conclusion

My conclusion is that just because you have MFA, doesn't mean that you are secure. Yes, enabling MFA is 100% the right thing to do on EVERY platform that you use, but attackers are exploiting the weaknesses that come with MFA. If you are worried about your M365 platform in terms of its security, I urge you to take on board some of the advice within this blog post. This is what I want you to do if you are reading this:

  • Check your Conditional Access policies - are you checking for compliant devices? Are you blocking device platforms that you don't trust? I really urge to check these now!
  • Take a look at phishing-resistant MFA like YubiKeys - they are really inexpensive (cost like £20/key), and they will stop credential phishing attacks
  • Are your users being trained to spot phishing attacks? Can they stop and think before clicking on any links that it might be a phishing attempt? Phishing campaigns and user training is paramount. You might have all the technology to stop attacks, but the human element is always the weakness in your security chain so DO NOT forget to educate your users!