Open kpomeroy1979 opened 2 months ago
Are you sure the redirect_url is not proxied (aka defined in proxy_hosts
) with auto_filter=true
(default), that would be feature.
I found it. Those settings are in the actual phishlet itself in /usr/share/evilginx/phishlets/
Are you suggesting that I add auto_filter: true somewhere in the phishlet? Sorry I don't quite understand your advice.
Here are my current settings for my o365 Phishlet
proxy_hosts:
auto_filter: true
is set by default.
Whenever you redirect a user to a URL in proxy_hosts, the filter is triggered, and all legitimate URLs are replaced with phishing URLs. So, you must redirect to some URLs, not in proxy hosts.
It is bad. However, it is a feature. I hope this will be modified in the future.
The workaround is using some online URL shortener, which redirects users to legitimate sites.
Just search URL shorteners, paste in redirect URL, it will yield something like this: https://shorturl.at/hklsI
Which you can use as redirect_url.
Also, the final page must meet all requirements in this IF statement.
It is poorly implemented, and I had to change the source code and recompile my custom version for one usecase.
@kgretzky @matejsmycka how do I address the issue where the Evilginx lure URL stops working after one successful session and requires clearing cookies?
@kgretzky The lure redirect_url option does not work. Regardless of the setting it does not redirect users after they complete the authentication and MFA flow using a Microsoft 365 Phishlet.
functionality used to work but seems like something has changed recently. Sometime after he modified the redirect code in evilginx3/core/http_proxy.go from using a Location header with a 302 code to using JavaScript the redirect_url is broken.
Each time the user authenticates, and goes through the MFA workflow the software captures credentials and session tokens, but then the whole process of logging in to MS365 starts over again, when in older versions it would redirect the user to somewhere (google, the real MS365, a custom landing page etc)