O365 - Request

[bsmithday]

Hi kgretzky,

First...Excellent project!!!, second my request.. Do you have any wiki with instructions on how to add other phishlets (e.g office365)?.. outlook is a great phishlet, but it's not useful to go after O365 accounts.

Thanks for your help!

[kgretzky]

Hey! Yes, good suggestion, I will add the O365 to the TODO list and you can expect it, in the future.

[mlinton]

Better yet - why don't you post a quick how-to on the process of creating custom phishlets and the community will do the rest.

[kgretzky]

Believe me, writing a comprehensive how-to will not be "quick", but it is also in the TODO.

[kjblack]

I kind of have this working. I can capture creds but having some issues capturing the tokens after a successful 2FA auth.

Happy to share my work so far if anyone can add to it.

[cncordeiro]

Hi @kjblack ,

I'm in the process of trying to make this work for office365 and I don't yet have the need for 2FA. Would you mind sharing your office 365 yaml file with what you have so far?

Thanks!

[JRodriguez556]

I have a beta available. I am able to capture credentials but not MFA tokens.

https://github.com/JRodriguez556/evilginx-0365-beta

[bsmithday]

Right here is my Phishlet version (o365.yaml)

https://github.com/bsmithday/o365.yaml/blob/master/o365.yaml

I'm able to capture the tokens and creds, but I need help to figure out why it's not redirecting after successful login. Any help will be appreciated!

[JohnnyRad]

Hi , @bsmithday @JRodriguez556, These two yamls cannot capture credentials, but redirect to login.live.com . sessions command can detect o365 , but username and password is null.

[bsmithday]

Hey JohnnyRad, You might have something going on with your settings. "login.live.com" is only invoked for the Outlook Phishlet. As you can see on the .yaml code, we make calls to "login.microsoftonline.com" which correspond to o365. Reload your Phishlets and make sure you have the right setting in your config file.

[JRodriguez556]

@JohnnyRad, If you use a Microsoft account rather than an O365 account it will redirect you to login.live.com. You need to attempt to sign in with an account linked with Office 365 rather than a generic Microsoft account.

[JohnnyRad]

@bsmithday ,@JRodriguez556, Thanks .

Previously I did use the type of free outlook account , and it always redirected to login.live.com . Then I signed up a free Office365 account which can log in to the offce365 , After entering the email account and click the next button in the page https://login.microsoftonline.com， web page is still redirected to https://login.live.com .

Does this mean that I must buy a pro Office365 account to test ?

When I picked up a pro office365 account , @bsmithday's o365.yaml captured the pass and token , and the problem is that token cannot work .

Another trouble: After the next button for some Office365 accounts , the webpage will be redirected to Custom domain name , then the interaction process will not be related with evilginx2.

[JRodriguez556]

Another trouble: After the next button for some Office365 accounts , the webpage will be redirected to Custom domain name , then the interaction process will not be related with evilginx2.

If the organization is using On-Prem AD you will be redirected to their ADFS sign in site. You will need to create a YAML file specific to that sign in page. The ones discussed here are for organizations that host authentication in O365.

[JohnnyRad]

@JRodriguez556 Yes, it would be nice if implemented in only one yaml file.

[BoogleCloud]

My organization uses O365 with on-prem AD and I am interested in demoing this method of phishing...because of course management thinks 2FA was the security silver bullet ;-)

I did some detective work already to determine the various domains and came up with something similar to the o365.yaml that @bsmithday made. I also validated with a normal login session that if I export the ESTSAUTH cookie once everything is authenticated, I can load this cookie on another system and immediately impersonate the user with no further prompting.

With evilginx the initial login.microsoftonline.com page is correctly getting intercepted, but when I enter the organizational email and it redirects me to the on-premise STS server evilginx gets cut out. From the network logs, login.microsoftonline.com loads scripts from secure.aadcdn.microsoftonline-p.com which then must runs some checks against the ID I entered and ultimately redirect to sts..com. The links to these scripts are not getting rewritten by evilginx and I am at a loss to figure out why. I have tried adding sub_filters with varying degrees of specificity.

Are there issues with proxying multiple domains in evilginx? Do these need to be broken out into separate yaml files?

(I'd be happy to open this as a new issue if needed!)

[ztxq]

Hi, I tried to do the office365 phishlet for the 2.2 version. the problem is that when submitting the user the following error come: There was an issue looking up your account. Tap Next to try again. Any idea? CODE: https://gist.github.com/ztxq/b0dbdb63409f9d320985c46d984a5d63

[JRodriguez556]

I've updated my Phishlet to work with v2.2.0. Currently will not redirect after successful login. Not sure if this is a problem with the way O365 handles requests.

https://github.com/JRodriguez556/o365.yaml

[JamesCullum]

Created a PR here for this specific phishlet: https://github.com/kgretzky/evilginx2/pull/178 It definitly benefits from the automatic rewrites in v2.3.0 and can reduce complexity.

There are several reasons for the issues you guys mentioned.

• ADFS can redirect to a O365 host with explicit port :443, which breaks the parsing. As a workaround, orig_domain can be duplicated with ":443"
• Also, we need to track the user into ADFS as well, otherwise they don't revisit the portal with the auth cookie. This way we can get the input data as well. This requires a specific orig_domain for the target ADFS, which is currently not dynamically possible.

[1trevor]

Curious if anyone here is still able to use the ESTSAUTH cookie successfully to get around MFA. If I capture the ESTSAUTH cookie it gets me past the password prompt, but I still get prompted for MFA. I'm not sure if Microsoft made some changes or I have some other problem on my end.

[JamesCullum]

Just restore all cookies captured after MFA while being on the correct page.

[DarknightCanada]

Hey Gents!

Starting working with evilgInx2 for upcoming engagement! all the phishlets works except o365 and keep getting this error:

`We're unable to complete your request

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.`

Any idea if I am doing something wrong or microsoft got smarter ?

Thanks

[blackpungas]

hey @DarknightCanada, were you able to solve that? im facing the same here :(

[bsmithday]

Try with this o365 phishlet: https://github.com/BakkerJan/evilginx2/blob/master/phishlets/o365.yaml

[Jamivenkatasuraj]

Hey Gents!

Starting working with evilgInx2 for upcoming engagement! all the phishlets works except o365 and keep getting this error:

`We're unable to complete your request

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.`

Any idea if I am doing something wrong or microsoft got smarter ?

Thanks

I am facing the same issue!

[4renwald]

Hey Gents! Starting working with evilgInx2 for upcoming engagement! all the phishlets works except o365 and keep getting this error: We're unable to complete your request invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application. Any idea if I am doing something wrong or microsoft got smarter ? Thanks

I am facing the same issue!

Where you able to solve it?

[bsmithday]

Likely you are not phishing an O365 account. "https://login.live.com" refers to an @outlook.com or @homtail.com account.

[ligmaSec]

did you guys manage to solve this

[Jamivenkatasuraj]

Yes you should use actual business subscription o365 account for the page to load

On Mon, 12 Feb 2024 at 9:24 PM, ligmaSec @.***> wrote:

did you guys manage to solve this

— Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/4#issuecomment-1938963297, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3GITGBFXWFXGEWLEXCI7FLYTI3J3AVCNFSM4FMTH2BKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJTHA4TMMZSHE3Q . You are receiving this because you commented.Message ID: @.***>