Attackers Have a New Way to Slip Past Your MFA
Summary:
Evilginx, an attacker-in-the-middle phishing toolkit, is increasingly being leveraged by actors to steal session cookies and bypass multi-factor authentication. Evilginx works by inserting itself as a live proxy between a user and a legitimate website, relaying a genuine sign-in process to capture the victim’s username and password in real-time. When a user enters their credentials and MFA codes on a fake login page, Evilginx will capture the credentials and forward them to the genuine site. In turn, the legitimate service uses these credentials to authenticate and issue a session cookie. This session cookie, which is captured by Evilginx, can then be used to impersonate the user and gain access without triggering security alerts or additional MFA prompts.
Security Officer Comments:
Session cookies are temporary files that websites use to remember that a user is authenticated during a single browsing session. This in turn allows the user to browse the website without having to enter the password on every page. Session cookies are stored in the browser memory and are automatically deleted when the user closes their browser or logs out. However, given that Evilginx captures these cookies in real time, actors can reuse them to authenticate to the website or service until the session expires or is revoked
Suggested Corrections:
https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa
Evilginx, an attacker-in-the-middle phishing toolkit, is increasingly being leveraged by actors to steal session cookies and bypass multi-factor authentication. Evilginx works by inserting itself as a live proxy between a user and a legitimate website, relaying a genuine sign-in process to capture the victim’s username and password in real-time. When a user enters their credentials and MFA codes on a fake login page, Evilginx will capture the credentials and forward them to the genuine site. In turn, the legitimate service uses these credentials to authenticate and issue a session cookie. This session cookie, which is captured by Evilginx, can then be used to impersonate the user and gain access without triggering security alerts or additional MFA prompts.
Security Officer Comments:
Session cookies are temporary files that websites use to remember that a user is authenticated during a single browsing session. This in turn allows the user to browse the website without having to enter the password on every page. Session cookies are stored in the browser memory and are automatically deleted when the user closes their browser or logs out. However, given that Evilginx captures these cookies in real time, actors can reuse them to authenticate to the website or service until the session expires or is revoked
Suggested Corrections:
- Be careful with links that arrive in an unusual way. Don’t click until you’ve checked the sender and hovered over the destination. When in doubt, feel free to use Malwarebytes Scam Guard on mobiles to find out whether it’s a scam or not. It will give you actionable advice on how to proceed.
- Use up-to-date real-time anti-malware protection with a web component.
- Use a password manager. It only auto-fills passwords on the exact domain they were saved for, so they usually refuse to do this on lookâalike phishing domains such as paypa1[.]com or micros0ft[.]com. But Evilginx is trickier because it sits in the middle while you talk to the real site, so this is not always enough.
- Where possible, use phishing-resistant MFA. Passkeys or hardware security keys, which bind authentication to your device are resistant to this type of replay.
- Revoke sessions if you notice something suspicious. Sign out of all sessions and re-login with MFA. Then change your password and review account recovery settings.
https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa