EvilProxy AiTM — Part 1: Walkthrough

4 min readSep 20, 2023

Adversary in the Middle using EvilProxy is growing as a Phishing threat, with its ability to steal MFA tokens it is fast becoming the only method to Phish.

This is a 2 part post, part 1 is a walkthrough of me using my Honey Tenant to get Phished, and part 2 is some detection opportunities this offers.

Part 2:

https://medium.com/@martinconnarty/adversary-in-the-middle-detection-44dca2f79943

The Initial Email Link

Often there will be a redirect chain — very often starting with a ‘legit’ site. I’ve seen places like LinkedIn, Bing, Microsoft, Google, Baidu and more all being used to obfuscate the intial link. This might be another project — to enumerate the redirection schemes.

Often times, the victim’s email is base64 encoded in the URL. Again, if you can Base64 your domain name, this might make a signature you can use — although I’ve noticed that a LOT of marketing etc emails do the same.

The Captcha

Often there is a sandbox defeating Captcha such as this. Cloudflare is one I’ve seen quite a fair bit.

Loading and Splashpage

In this example, we had a ‘Trying to sign you in’ page — this may have been to add authenticity to the phish.

This eventually leads to:

The Login Page

Note — this is my background. By using the victim organisations background, the Phish immediately becomes more convincing.

The other blog post on this for detection has the overlay that I’ve baked into my background as well as some searches you can use to detect this background being loaded by victims.

The MFA Steal

When I put a correct password in (it checks, and we can see that in our Azure sign-in logs), we get an MFA prompt as you would if you did any normal login. I can then accept that on my phone and it redirects me to a legitimate office.com page in order to avoid user suspiscion.

A look at the logs

Unfortunately my honey-tenant doesn’t have a particularly big license, nor does it have anything really deployed on there such as Microsoft 365. What this means is that while I can check the sign-in logs, I can only do so for a week, and I can’t really see the next steps.

My understanding is that typically this will lead to malicious email forwarding rules being set up, and alternate MFA methods being established so that the adversary can establish persistence in the account. That would presumably be required as I would imagine that often these accounts will be sold on to Initial Access Brokers.

What we can see however is:

In the diagnostics tool:

In the logs:

Some observations and notes:

The OfficeHome app — I have observed this being quite common, but not necessarily always the case. This is in line with some other blog posts

2. While I have 1 IP here, previously I’ve seen multiple (detectable — see below). Usually where I see multiple is due to the password being incorrect — presumably the threat actor is attempting multiple IPs in case of geo or other restrictions.

A bit more on the IP:

We can see a VPS service here, again from my own observations, this is typical of the backend service that is used to authenticate. With good IP intelligence overlaid on our logins, we may be able to detect this as well.

Detection and Mitigation

Please see my other blog post which covers detection methods.