Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defending against the EvilGinx2 MFA Bypass

Steel Contributor

All,

This is a educational post on how Azure Conditional Access can defend against man-in-the-middle software designed to steal authentication tokens. EvilGinx2 is a simple tool that runs on a server and allows attackers to bypass the "Always ON" MFA that comes built into Office E1/E3 plans. It is effective against both SMS/Text and MSFT Authenticator App (aka User Authentication). 

Last weekend I tested 13 Microsoft solutions and found 6 that are effective at blocking EvilGinx2 using mostly Machine Authentication. 

So we want to raise awareness: If you are doing only user-authentication today, it's important to plan to include additional factors such as machine authentication like Hybrid Domain Join or Intune UEM compliance checking, or certificate-based-authentication using the EMS E5 feature: Microsoft Cloud App Security Conditional Access App Control (say that three times really fast!). U2F is also effective (check out the blog for all the tests we ran).

 

This is a two-part blog series where we publish our test results. We strongly recommend clients upgrade to AAD P1 or EMS E3 to provide the best protection against MFA bypass. We learned in Microsoft's latest quarterly earnings that there are 180 million total Office 365 subscribers, but only 100 million EMS subscribers. That means there is a gap of 80 million that need help transitioning to EMS. And also 100 million that may need help transitioning from user authentication to also include machine authentication (if they haven't already). So there is a huge partner opportunity to solve this problem as well.

 

Blog post 1 - Introducing the effectiveness of EvilGinx against Office E3 "Always On MFA"

Blog post 2 - highlights several ways EMS can block EvilGinx. Includes several recommendations to Microsoft for improvement, and several recommendations for customers too.

 

2 Replies

@Joe Stocker Hello. Please note that the video in YouTube for part 1 is no longer accessible ("This video has been removed for violating YouTube's Community Guidelines"). Could you please provide an alternate access? Thank you!

This video is even better than what Youtube took down. https://www.youtube.com/watch?v=QRyinxNY0fk