Home

Defending against the EvilGinx2 MFA Bypass

%3CLINGO-SUB%20id%3D%22lingo-sub-501719%22%20slang%3D%22en-US%22%3EDefending%20against%20the%20EvilGinx2%20MFA%20Bypass%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-501719%22%20slang%3D%22en-US%22%3E%3CP%3EAll%2C%3C%2FP%3E%3CP%3EThis%20is%20a%20educational%20post%20on%20how%20Azure%20Conditional%20Access%20can%20defend%20against%20man-in-the-middle%20software%20designed%20to%20steal%20authentication%20tokens.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fbreakdev.org%2Fevilginx-2-next-generation-of-phishing-2fa-tokens%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvilGinx2%26nbsp%3B%3C%2FA%3Eis%20a%20simple%20tool%20that%20runs%20on%20a%20server%20and%20allows%20attackers%20to%20bypass%20the%20%22Always%20ON%22%20MFA%20that%20comes%20built%20into%20Office%20E1%2FE3%20plans.%20It%20is%20effective%20against%20both%20SMS%2FText%20and%20MSFT%20Authenticator%20App%20(aka%20User%20Authentication).%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20weekend%20I%20tested%2013%20Microsoft%20solutions%20and%20found%206%20that%20are%20effective%20at%20blocking%20EvilGinx2%20using%20mostly%20Machine%20Authentication.%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we%20want%20to%20raise%20awareness%3A%20If%20you%20are%20doing%20only%20user-authentication%20today%2C%20it's%20important%20to%20plan%20to%20include%20additional%20factors%20such%20as%20machine%20authentication%20like%20Hybrid%20Domain%20Join%20or%20Intune%20UEM%20compliance%20checking%2C%20or%20certificate-based-authentication%20using%20the%20EMS%20E5%20feature%3A%20Microsoft%20Cloud%20App%20Security%20Conditional%20Access%20App%20Control%20(say%20that%20three%20times%20really%20fast!).%20U2F%20is%20also%20effective%20(check%20out%20the%20blog%20for%20all%20the%20tests%20we%20ran).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20two-part%20blog%20series%20where%20we%20publish%20our%20test%20results.%20We%20strongly%20recommend%20clients%20upgrade%20to%20AAD%20P1%20or%20EMS%20E3%20to%20provide%20the%20best%20protection%20against%20MFA%20bypass.%20We%20learned%20in%20Microsoft's%20latest%20quarterly%20earnings%20that%20there%20are%20180%20million%20total%20Office%20365%20subscribers%2C%20but%20only%20100%20million%20EMS%20subscribers.%20That%20means%20there%20is%20a%20gap%20of%2080%20million%20that%20need%20help%20transitioning%20to%20EMS.%20And%20also%20100%20million%20that%20may%20need%20help%20transitioning%20from%20user%20authentication%20to%20also%20include%20machine%20authentication%20(if%20they%20haven't%20already).%20So%20there%20is%20a%20huge%20partner%20opportunity%20to%20solve%20this%20problem%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Foffice-365s-mfa-is-vulnerable-to-evilginx2%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBlog%20post%201%3C%2FA%3E%20-%20highlights%20%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dk4bq5A-icBw%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20Youtube%20video%3C%2FA%3E%20showing%20the%20effectiveness%20of%20EvilGinx%20against%20Office%20E3%20%22Always%20On%20MFA%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Fdefending-against-evilginx2-in-office-365%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBlog%20post%202%3C%2FA%3E%20-%20highlights%20several%20ways%20EMS%20can%20block%20EvilGinx.%20Includes%20several%20recommendations%20to%20Microsoft%20for%20improvement%2C%20and%20several%20recommendations%20for%20customers%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-501719%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

All,

This is a educational post on how Azure Conditional Access can defend against man-in-the-middle software designed to steal authentication tokens. EvilGinx2 is a simple tool that runs on a server and allows attackers to bypass the "Always ON" MFA that comes built into Office E1/E3 plans. It is effective against both SMS/Text and MSFT Authenticator App (aka User Authentication). 

Last weekend I tested 13 Microsoft solutions and found 6 that are effective at blocking EvilGinx2 using mostly Machine Authentication. 

So we want to raise awareness: If you are doing only user-authentication today, it's important to plan to include additional factors such as machine authentication like Hybrid Domain Join or Intune UEM compliance checking, or certificate-based-authentication using the EMS E5 feature: Microsoft Cloud App Security Conditional Access App Control (say that three times really fast!). U2F is also effective (check out the blog for all the tests we ran).

 

This is a two-part blog series where we publish our test results. We strongly recommend clients upgrade to AAD P1 or EMS E3 to provide the best protection against MFA bypass. We learned in Microsoft's latest quarterly earnings that there are 180 million total Office 365 subscribers, but only 100 million EMS subscribers. That means there is a gap of 80 million that need help transitioning to EMS. And also 100 million that may need help transitioning from user authentication to also include machine authentication (if they haven't already). So there is a huge partner opportunity to solve this problem as well.

 

Blog post 1 - highlights this Youtube video showing the effectiveness of EvilGinx against Office E3 "Always On MFA"

Blog post 2 - highlights several ways EMS can block EvilGinx. Includes several recommendations to Microsoft for improvement, and several recommendations for customers too.

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies