Lately, I’ve been diving into some red-team tooling just to get a better grasp of how modern phishing attacks work — and I ended up spending way too much time with Evilginx2.
For those who don’t know, Evilginx2 is a man-in-the-middle phishing framework. It doesn't go after your passwords — it hijacks session tokens. So even if a target has 2FA turned on, once they authenticate, you get their session. Simple as that. Brutal, but clever.
🔧 What I Wanted to Do
While exploring, I noticed Evilginx2 ships with different phishlets for each Microsoft service — Outlook, GoDadday, Office365, Azure, SharePoint, and so on.
But let’s be honest: they all hit the same Microsoft login flow under the hood. So instead of juggling multiple phishlets, I decided to build one universal phishlet that could handle any Microsoft vendor login.
Spoiler: it worked.
🛠️ What I Modified
I took the existing Microsoft phishlet and reshaped it into a universal one. Here’s what changed:
Wildcard domain handling for subdomains like login.microsoftonline.com, outlook.office365.com, and others.
Flexible path handling so it doesn’t break with different Microsoft services or redirect chains.
Refined header rewriting and cookie handling to make the session handoff smoother.
Made the config adaptive enough that it doesn’t care what service the user logs into — as long as it's Microsoft, it does the job.
The end result? One phishlet to rule all Microsoft vendors.
👨💻 Bonus: It’s Written in Go — So I Was in My Element
The best part? Evilginx2 is written in Go, which is what I work with day to day. That made it a lot easier to read through the codebase, debug weird behavior, and even tweak some internals when things weren’t behaving the way I wanted.
Being comfortable in Go gave me the confidence to go deeper than just YAML tweaks — and honestly, that made all the difference.
💡 Why This Was Fun
This wasn’t about launching attacks. It was about understanding how attackers think.
Tinkering with Evilginx2 was part networking, part dev, and part reverse engineering. Watching a login go through a proxy and still work — while handing you tokens — is an oddly satisfying (and terrifying) experience.
Plus, learning how these flows can be manipulated helps me look at authentication systems with a sharper eye.
Working with Evilginx2 was eye-opening. I expected a sketchy tool — what I found was a highly capable framework with a lot to teach anyone working in security.
If you’re serious about securing your stack, I highly recommend setting it up in a controlled environment and watching what it can do. It’ll change the way you look at login flows — for real.
Evilginx repo: https://github.com/kgretzky/evilginx2
🔗 My Evilginx2 fork with custom tweaks is available here: github.com/RokibulHasan7/evilginx2 — feel free to explore, learn, or fork it for your own lab setup.
Top comments (0)