Entra.Chat Podcast - Episode 2
In this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework.
He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool.
Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques.
Subscribe with your favorite podcast player or watch on YouTube 👇
❤️ Key Links
BREAKDEV Blog → breakdev.org
Evilginx Pro → evilginx.com
Evilginx Mastery Course → academy.breakdev.org/evilginx-mastery
Related Links
YouTube: Stop hackers from stealing your Microsoft 365 user's passwords
YouTube Microsoft 425 Show | Evilginx: How Threat Actors Perform Phishing and Token Theft Attacks
00:00 - Introduction to Kuba and Evilginx
Creator of Evilginx, a phishing framework demonstrating MFA vulnerabilities
15+ years in cybersecurity, started with MMO game hacking
Transitioned through reverse engineering to cybersecurity
02:03 - Understanding Phishing Fundamentals
Phishing presents fake sign-in pages to capture user credentials
Even 7-year-olds now learn about phishing dangers in school
03:39 - How Evilginx Works Technically
Functions as a reverse proxy between user and legitimate server
Creates dual TLS connections to intercept all communications
Captures authentication tokens for complete account takeover
05:55 The Evolution of Phishing Tools
Evolved from experiments with cookie manipulation
Improved upon older tools that required malware installation
Developed from Nginx with Lua scripting to standalone Go application
10:37 Evilginx's Impact and Popularity
Gained traction through demonstrating MFA vulnerabilities
Creates "shock factor" when users see how easily accounts are compromised
Emerged alongside other tools but distinguished by ease of demonstration
12:25 Real-World Phishing Examples
Sophisticated attacks use browser-in-browser techniques
High-profile victims include Linus Tech Tips YouTube channel
Attackers leverage urgency and fear to bypass security awareness
16:23 Protecting Against Evilginx Attacks
Implement domain verification checks through JavaScript
Deploy "shadow tokens" with browser fingerprinting
Utilize conditional access policies and FIDO2/passkeys
22:57 - Detecting Evilginx Attacks
HTTP header inspection can identify attack signatures
TLS fingerprinting (JA4) detects unusual connection patterns
Cloudflare and other services block suspicious proxy connections
27:33 - User Education and Psychological Factors
Focus on recognizing psychological triggers like urgency
Reward reporting rather than punishing victims
Teach users to access websites directly rather than through email links
31:01 - Ethical Considerations and Responsible Development
Implemented vetting process for Evilginx Pro access
Built anti-cracking protections to prevent misuse
Created trusted community for responsible information sharing
36:43 - Future Developments and Evilginx Pro
New client-server architecture with API for automation
Features include bot protection and shadow token bypass capabilities
Established BreakDev as company with plans for security software platform
🎓 Key Takeaways
Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time.
The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks.
Organizations should implement conditional access policies that verify device identity, not just user identity.
User education should focus on recognizing urgency tactics rather than just checking URLs.
Shadow tokens that include browser fingerprinting and domain information show promise as protection methods.
Ethical security tools require responsible handling - vetting processes to help prevent misuse.
Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.
Share this post