Attacks Using Evilginx and Defense
Amer, Osamah (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202601271863
https://urn.fi/URN:NBN:fi:amk-202601271863
Tiivistelmä
The digital identity landscape has shifted from password-based authentication to Multi Factor Authentication (MFA). While MFA was introduced to mitigate credential theft, attackers have evolved methodologies to bypass these protections using Adversary in-the-Middle (AiTM) techniques. The primary problem addressed in this study was the vulnerability of App-based MFA methods, specifically Microsoft Authenticator’s "Number Matching," to real-time session hijacking.
The objective of this study was to empirically evaluate the resilience of App-based MFA compared to hardware-based FIDO2 authentication. Research was conducted by constructing a custom "Cyber Lab" environment locally on Windows. The infrastructure utilized the Evilginx 3.0 framework, configured with local DNS spoofing and custom SSL certificates. Two scenarios were tested: a local simulated user (osku@dev.com) and a real-world Proof of Concept against Microsoft Outlook. The results demonstrated that while standard App-based MFA was successfully bypassed by the reverse proxy, FIDO2 hardware keys effectively prevented session hijacking by enforcing Origin Binding. Furthermore, the implementation of a server-side "Termination Feature" proved to be an effective reactive defense mechanism for immediate session revocation.
The objective of this study was to empirically evaluate the resilience of App-based MFA compared to hardware-based FIDO2 authentication. Research was conducted by constructing a custom "Cyber Lab" environment locally on Windows. The infrastructure utilized the Evilginx 3.0 framework, configured with local DNS spoofing and custom SSL certificates. Two scenarios were tested: a local simulated user (osku@dev.com) and a real-world Proof of Concept against Microsoft Outlook. The results demonstrated that while standard App-based MFA was successfully bypassed by the reverse proxy, FIDO2 hardware keys effectively prevented session hijacking by enforcing Origin Binding. Furthermore, the implementation of a server-side "Termination Feature" proved to be an effective reactive defense mechanism for immediate session revocation.