AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
§ Context
Assumed environment: target uses M365 with MFA. Users can be enticed to click a link in a convincing email (HR / IT / OAuth consent page).
§ Steps
- 01Replay cookie into attacker browserInitial AccessT1078— Valid Accounts
- 02Send phishing email with attacker URLInitial AccessT1566— Phishing
- 03Capture post-MFA session cookieCredential AccessT1539— Steal Web Session Cookie
- 04Set mailbox forwarding ruleCollectionM365-MAILBOX-FORWARD— Mailbox Forwarding Rule
- 05Mailbox / SharePoint / Teams data exfilCollectionM365-EWS-EXFIL— Exchange Web Services (EWS) Exfil
- 06Stand up Evilginx with a phishletInitial AccessPH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
- 07Victim authenticates + completes MFA via the proxyInitial AccessPH-MFA-FATIGUE— MFA Fatigue / Prompt Bombing
§ References
- T1078Valid Accounts
- T1566Phishing
- T1539Steal Web Session Cookie
§ Frequently asked
- What is the "AITM phishing (Evilginx) → M365 session theft → mailbox exfil" attack path?
- Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth. It chains 7 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Replay cookie into attacker browser (T1078) — a initial access primitive. Assumed environment: target uses M365 with MFA.
- What is the final impact of this kill-chain?
- The final step lands on Victim authenticates + completes MFA via the proxy (PH-MFA-FATIGUE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques5
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Shared techniques4
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- Shared techniques4
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
- Shared techniques3
Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
- Shared techniques3
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- Shared techniques3
Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.