MFA's Worst Nightmare: Inside Evilginx with it's creator Kuba Gretzky

In this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework. He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool. Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques. Key Links - BREAKDEV Blog → breakdev.org - Evilginx Pro → evilginx.com - Evilginx Mastery Course → academy.breakdev.org/evilginx-mastery Related Links YouTube: Stop hackers from stealing your Microsoft 365 user's passwords - https://www.youtube.com/watch?v=tI1bdVohOK8 YouTube Microsoft 425 Show | Evilginx: How Threat Actors Perform Phishing and Token Theft Attacks - https://www.youtube.com/watch?v=8QsLM8nBiho JA4+ Network Fingerprinting Subscribe to the Entra.Chat podcast on your favourite podcast player 👇 🎧 Apple Podcast - https://podcasts.apple.com/us/podcast/entra-chat/id1801200012 📺 Spotify - https://open.spotify.com/show/2lJSWBTmMWWn4f9u75JvHY 📺 YouTube - https://www.youtube.com/@merillx/podcasts 🎧 Pocketcast - https://pca.st/10oii6uv 🎧 Overcast - https://overcast.fm/itunes1801200012 🎧 Other - https://api.substack.com/feed/podcast/1804560/private/17af4edf-5946-4494-a05a-ac8693ba426d.rss 00:00 - Introduction to Kuba and Evilginx 02:03 - Understanding Phishing Fundamentals 03:39 - How Evilginx Works Technically 05:55 The Evolution of Phishing Tools 10:37 Evilginx's Impact and Popularity 12:25 Real-World Phishing Examples 16:23 Protecting Against Evilginx Attacks 22:57 - Detecting Evilginx Attacks 27:33 - User Education and Psychological Factors 31:01 - Ethical Considerations and Responsible Development 36:43 - Future Developments and Evilginx Pro Key Takeaways - Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time. - The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks. - Organizations should implement conditional access policies that verify device identity, not just user identity. - User education should focus on recognizing urgency tactics rather than just checking URLs. - Shadow tokens that include browser fingerprinting and domain information show promise as protection methods. - Ethical security tools require responsible handling - vetting processes to help prevent misuse. - Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.