Bypass Azure MFA with Evilginx

With the hardening network perimeter, threat actors look to target users and bypass external defenses. In this fun lab we'll get hands on with phishing and capturing cloud credentials using the Evilginx adversary-in-the-middle (AITM) framework, and learn how this could have been prevented.

We're on a red team engagement for the consumer tech titan Mega Big Tech. Social engineering, on-prem and the cloud are all in-scope. We have identified a target for our spear phishing, can you show Mega Big Tech how their defenses may not be good enough?

• Familiarity with the Windows and Linux CLI
• Familiarity with Azure

• Set up and configure Evilginx phishing server
• Capture login credentials using Evilginx
• Bypass MFA (multi-factor authentication) controls using GraphRunner
• Perform token abuse using TokenTacticsV2
• Enumerate and exploit Azure Container App
• Move laterally using managed identity
• Exfiltrate data from Cosmos DB with Table API enabled

Evilginx is a popular and modern phishing framework. Development of this framework has helped improve the detection capability and overall robustness of leading cloud platforms and SaaS providers, who look to defend against this modern phishing tradecraft. MFA is often deployed but this lab will show how even the smallest enablement gap can allow threat actors to gain a foothold in an environment. Container Apps are a popular Azure service and we will examine how we can use Container App features to our advantage.