Introduction

This is Part 3 of our six-part series on phishing attacks and defences. Part 1 provided an overview of the series, while Part 2 explored the various types of phishing attacks organisations face today.

As security awareness has improved and organisations have deployed increasingly sophisticated defences, including multi-factor authentication (MFA), threat actors have evolved their techniques and tools in response. Understanding the advanced frameworks used in modern phishing campaigns is essential for security professionals who need to develop effective countermeasures.

In this third instalment of our series, we'll take a technical deep dive into the sophisticated tools threat actors use to execute phishing attacks, with particular focus on frameworks that can bypass traditional MFA solutions. This knowledge is crucial for understanding why certain defensive measures succeed while others fail against today's advanced threats.

The Market for Phishing Tools

Before examining specific frameworks, it's important to understand the ecosystem that supports them. The market for phishing tools has matured significantly in recent years, creating a concerning level of accessibility for would-be attackers.

Commercialisation of Attack Tools

Phishing is no longer limited to those with advanced technical skills. A robust marketplace now exists where ready-made phishing kits, infrastructure, and even full-service operations can be purchased. This "Phishing-as-a-Service" model has significantly lowered the barrier to entry for conducting sophisticated attacks.

Dark Web Marketplaces

Specialised forums and marketplaces on the dark web offer:

• Complete phishing kits with pre-built templates
• Access to compromised servers for hosting phishing sites
• Tutorials on bypassing security controls
• Subscription-based access to advanced frameworks
• Lists of potentially vulnerable targets

The Democratisation of Advanced Techniques

Techniques that were once the exclusive domain of nation-state actors are now widely available to criminal organisations and even individual threat actors. This democratisation has contributed to the surge in sophisticated phishing campaigns targeting organisations of all sizes.

Evilginx: MFA Bypass Framework

One of the most sophisticated and concerning tools in the modern phishing arsenal is Evilginx, currently in its third major version (Evilginx3). This framework is specifically designed to circumvent MFA protections through an advanced man-in-the-middle approach.

Background and Development

Evilginx was created by security researcher Kuba Gretzky (known online as "mrgretzky") and first released publicly on GitHub in 2018. The tool was developed as a proof-of-concept to demonstrate vulnerabilities in traditional authentication systems and to help organisations better understand the limitations of certain MFA implementations.

The original version was followed by Evilginx2 in 2018, which was a complete rewrite with significant improvements. The latest major version, Evilginx3, was released in 2023 with enhanced capabilities. While initially created for legitimate security research and testing purposes, the tool has unfortunately been adopted by malicious actors due to its effectiveness.

Evilginx is written in Go (Golang), which provides several advantages: it's fast, compiled, works across multiple platforms, and enables easy deployment as a standalone binary. This makes the tool particularly portable and easy to deploy on various systems.

Evilginx Pro: Commercial Evolution

In addition to the open-source version, a commercial variant called Evilginx Pro has been developed, further expanding the tool's capabilities. Evilginx Pro includes several advanced features not available in the community edition:

• Enhanced Phishlet Support: Pre-built and continuously updated phishlets for a wide range of popular services, ensuring attackers can quickly target the latest versions of authentication systems
• Advanced Browser Fingerprinting: Capabilities to detect and evade automated analysis systems and security tools
• Enhanced Real-time Notifications: Immediate alerts when victims authenticate, allowing for rapid exploitation of captured credentials and tokens
• Improved Session Management: More sophisticated tracking and management of victim sessions
• Streamlined User Interface: A more polished dashboard for managing campaigns and monitoring results
• Premium Support: Access to updates and technical assistance

The existence of this professional version demonstrates the ongoing commercialisation of sophisticated phishing tools and the economic ecosystem that has developed around them. It also highlights how the line between security testing tools and malicious frameworks has increasingly blurred, with the same technology marketed to both legitimate security professionals and potential attackers.

Technical Architecture

At its core, Evilginx is a reverse proxy that sits between the victim and the legitimate service they're trying to access. This architectural approach differs fundamentally from traditional phishing, which typically relies on creating convincing replicas of target websites.

Instead, Evilginx:

1. Receives traffic from victims who believe they're connecting to a legitimate service
2. Forwards this traffic to the actual legitimate service
3. Captures authentication credentials and session tokens as they pass through
4. Returns the legitimate service's responses to the victim

This approach means victims interact with the actual legitimate website throughout the authentication process, making the attack nearly impossible to detect based on visual cues or content discrepancies.

Phishlets: The Key to Versatility

Evilginx uses configuration files called "phishlets" that define how the tool should handle traffic for specific websites. These phishlets contain:

• Domain mapping configurations
• Cookie capturing rules
• HTML content modification instructions
• JavaScript injection points
• Session token identification patterns

The modular phishlet design allows Evilginx to be quickly adapted for different target services. Public repositories of phishlets exist for popular services including Microsoft 365, Google Workspace, AWS, banking portals, and social media platforms.

The Authentication Flow in an Evilginx Attack

A typical Evilginx attack follows this sequence:

1. Initial Compromise: The victim receives a phishing email with a link to the attacker's Evilginx domain, which resembles a legitimate service (e.g., "microsoft-secure.com" instead of "microsoft.com").
2. Proxy Connection: When clicked, the link directs the victim to the Evilginx server, which establishes a connection to the legitimate service.
3. Real Authentication: The victim sees the actual login page from the legitimate service and proceeds through the entire authentication process, including entering their username, password, and MFA code if required.
4. Credential and Token Capture: As the authentication data passes through the Evilginx proxy, it captures:
   • Username and password
   • Session cookies
   • Authentication tokens
   • MFA approval responses
5. Session Hijacking: With the captured session tokens, the attacker can now access the victim's account without needing the username, password, or MFA codes for subsequent logins.

Anti-Detection Capabilities

Modern versions of Evilginx include sophisticated features to evade detection:

• IP Filtering: Blocking connections from known security research companies and threat intelligence platforms
• Geofencing: Limiting access to specific geographic regions
• Triggered Landings: Requiring specific URL parameters or referrers to activate the phishing page
• Response Manipulation: Modifying HTML content to remove security warnings or indicators
• JavaScript Injection: Adding custom scripts to capture additional information or modify page behaviour
• One-time URL Functionality: Preventing links from being re-accessed after initial use

Why Evilginx Is Particularly Dangerous

Evilginx represents a significant evolution in phishing capabilities for several reasons:

1. It circumvents most forms of traditional MFA, including:
   • Time-based one-time passwords (TOTP)
   • Push notification approvals
   • SMS codes
   • Email verification codes
   • Even number matching implementations in authenticator apps
2. It presents the legitimate website to the victim, eliminating visual cues that might trigger suspicion.
3. It captures full authenticated sessions rather than just credentials, meaning that time-limited MFA approvals can be leveraged immediately for account access.
4. It can be deployed with minimal infrastructure requirements compared to more complex phishing operations.

Technical Infrastructure for Advanced Phishing

To successfully deploy tools like Evilginx, attackers need several key infrastructure components working in concert. Understanding this infrastructure helps security professionals recognise and mitigate these sophisticated attacks.

Domain Configuration

Effective proxy-based phishing attacks rely on carefully selected domain names that appear legitimate to victims. Attackers typically use:

• Typosquatting techniques: Creating domains with minor typographical variations of legitimate domains (e.g., "mircosoft.com")
• Adding plausible prefixes/suffixes: Using terms like "secure-", "login-", or "-account" with legitimate brand names
• Homograph attacks: Employing visually similar Unicode characters to create nearly identical-looking domains
• TLD variations: Using alternative top-level domains (e.g., ".org" instead of ".com")

For proxy tools to function properly, the attacker must configure DNS settings to point to their server and obtain proper SSL certificates, as these frameworks require HTTPS connections to avoid browser security warnings.

Hosting Requirements

Sophisticated phishing operations require hosting that balances reliability with anonymity:

• Virtual Private Servers (VPS): Dedicated resources with full control over the environment
• Anonymous payment options: Cryptocurrency payments to avoid attribution
• Bulletproof hosting: Providers that resist takedown requests and legal pressure
• Geographic considerations: Hosting in jurisdictions with limited international cooperation on cybercrime

Unlike simple phishing pages that can operate on compromised websites, proxy-based tools need dedicated servers with proper port configurations and the ability to install and run specific software packages.

Operational Security Measures

To avoid detection, sophisticated phishing operators implement multiple security layers:

• IP filtering: Blocking connections from security companies, researchers, and automated scanning tools
• Geofencing: Only targeting specific regions while serving benign content to visitors from other locations
• Infrastructure compartmentalisation: Separating different components of the attack to limit exposure if one element is discovered
• Rotating infrastructure: Frequently changing domains and hosting to stay ahead of blocklists and takedowns
• Traffic encryption: Using additional layers of encryption for communication between attack components

Command and Control

Advanced phishing frameworks include command and control interfaces that operators use to:

• Monitor active sessions
• Capture credentials and authentication tokens
• Manage multiple simultaneous campaigns
• Track successful compromises
• Export captured data securely

These interfaces are typically protected with additional authentication and accessible only through encrypted connections or via Tor hidden services to prevent discovery.

Beyond Evilginx: The Arsenal of Modern Phishing Frameworks

While Evilginx represents one of the most advanced threats to authentication security, several other sophisticated tools have emerged in the phishing landscape. Security professionals must be familiar with this broader ecosystem to effectively protect their organisations.

SocialFish

SocialFish is designed specifically for social media phishing, with pre-built templates for popular platforms and the ability to clone target pages. It focuses on ease of use and rapid deployment for less technical operators.

GoPhish

Originally developed for legitimate security testing, GoPhish is an open-source phishing framework that includes:

• Email campaign management
• Landing page creation
• User tracking and analytics
• Credential capturing
• Reporting capabilities

Its legitimate security testing origins make it particularly concerning when used maliciously, as it includes features designed for effectiveness rather than evasion.

Custom Frameworks

Advanced threat actors, particularly those associated with nation-states or well-resourced criminal organisations, often develop custom phishing frameworks tailored to specific targets or designed to evade particular security controls. These bespoke tools may incorporate elements from public frameworks while adding proprietary features and evasion techniques.

The Role of Automation in Modern Phishing

Advanced phishing operations increasingly leverage automation throughout the attack lifecycle:

Infrastructure Deployment

Attackers use automation to:

• Register domains programmatically
• Obtain SSL certificates
• Configure hosting environments
• Deploy phishing frameworks
• Set up redirection chains

This automation enables rapid establishment of new infrastructure when existing domains are blocked or blacklisted.

Target Selection and Customisation

Sophisticated phishing now often incorporates:

• Automated OSINT gathering on potential victims
• Dynamic content generation based on victim profiles
• Customised lures leveraging information from data breaches or social media
• A/B testing of different phishing approaches to maximise effectiveness

Post-Compromise Automation

Once credentials or session tokens are captured, automation can:

• Test credential validity across multiple services
• Extract sensitive information from compromised accounts
• Establish persistence mechanisms
• Enable lateral movement through connected services
• Exfiltrate data while evading detection

Limitations and Vulnerabilities of Advanced Phishing Tools

Despite their sophistication, tools like Evilginx do have limitations and vulnerabilities that organisations can exploit for defence:

Phishing-Resistant Authentication

FIDO2-based authentication methods, including WebAuthn and physical security keys, bind the authentication process to the legitimate domain, making them resistant to proxy-based attacks. When implemented correctly, these methods verify the origin of the authentication request, preventing credential interception even by sophisticated proxies.

Traffic Analysis and Anomaly Detection

The proxy-based nature of these attacks creates detectable patterns:

• Additional network hops that increase latency
• Unusual connection characteristics
• Abnormal TLS certificate properties
• Distinctive HTTP header patterns

Advanced security monitoring can identify these anomalies and flag potential proxy-based phishing attempts.

Behavioural and Contextual Indicators

Even when technical controls are bypassed, behavioural and contextual factors can reveal suspicious activity:

• Authentication from new devices or locations
• Unusual access patterns or times
• Abnormal user behaviour following authentication
• Unexpected changes to security settings

Conclusion: From Understanding to Defence

The sophisticated tools and techniques examined in this article represent the cutting edge of phishing technology. By understanding how frameworks like Evilginx operate, security professionals can better appreciate why traditional defences may fall short and how to implement more effective countermeasures.

In our next instalment, a special bonus article on token theft, we'll explore what happens after a successful phishing attack when threat actors leverage stolen authentication tokens to maintain access and move laterally through organisational environments. We'll examine tools like GraphRunner, AzureHound, and other post-exploitation frameworks that leverage compromised authentication to expand their foothold.

Following that, Part 4 will delve into comprehensive protection strategies, including email authentication protocols, Microsoft Defender for Office 365 capabilities, and effective user awareness training approaches that can help organisations defend against these sophisticated attacks.

Have you encountered any of these advanced phishing tools in your organisation? Share your experiences in the comments below, and don't forget to subscribe for the upcoming bonus content on token theft.

This article is part of a six-part series (plus bonus content) on phishing attacks and defences. Read Part 1: Introduction to the Blog Series and Part 2: Understanding Modern Phishing Attacks if you haven't already, and stay tuned for the upcoming instalments leading to my presentation at the Microsoft 365 Community Conference in Las Vegas on 6-8 May 2025.