Evilginx
A practical guide to the advanced phishing framework using reverse proxy for real-time credential and session hijacking.
Evilginx is a powerful open-source man-in-the-middle (MITM) phishing framework designed to bypass traditional multi-factor authentication (MFA) protections. Used by red teamers, penetration testers, and social engineering specialists, Evilginx captures not just credentials but active session tokens by impersonating real websites through reverse proxy techniques. This allows attackers to gain persistent access without needing the victim’s second factor.
Evilginx is not a tool for sending phishing emails—rather, it’s a framework to host highly convincing phishing pages that proxy legitimate login flows in real time. It’s frequently used in advanced phishing simulations and adversary-in-the-middle (AiTM) attack emulation.
First time seeing this?
What Evilginx Does
Evilginx sits between the target and the legitimate website by proxying requests and responses. When a victim visits a phishing link, Evilginx displays a pixel-perfect clone of the target site. As the victim enters their credentials and completes MFA, Evilginx intercepts the entire session—including cookies and tokens—allowing the attacker to impersonate the victim seamlessly.
Unlike static phishing pages, Evilginx dynamically mirrors the live site, bypassing URL verification, content mismatch, and even advanced browser warnings.
Key Features of Evilginx
Reverse Proxy Phishing
Uses a reverse proxy to capture credentials, session cookies, and 2FA tokens by relaying login flows from real websites.
Bypass Multi-Factor Authentication
Intercepts authentication cookies post-login, granting full session access without needing MFA after the initial breach.
Customizable Phishlets
Supports modular configurations (“phishlets”) for targeting specific login portals like Microsoft 365, Google, Facebook, Okta, and more.
HTTPS Support with Let’s Encrypt
Easily deploys valid SSL/TLS certificates for realistic-looking phishing domains.
DNS and Domain Control
Requires proper domain setup and DNS configuration, giving the attacker full control over phishing infrastructure.
Cookie and Token Logging
Automatically logs intercepted session data and credentials for offline analysis or live session hijacking.
Stealth Features
Removes security headers like HSTS and CSP and supports browser fingerprint evasion tactics.
Advanced Use Cases
Red Team Engagements
Simulate sophisticated phishing attacks to assess an organization’s resilience against AiTM threats.
Security Awareness Training
Demonstrate real-world phishing risks to executives and employees during social engineering assessments.
Credential Theft Simulation
Emulate modern credential-stealing attacks that go beyond simple username/password harvesting.
Session Hijacking Research
Analyze session security mechanisms and explore how tokens and cookies are managed across cloud platforms.
Phishing Kit Development
Build and deploy custom phishlets tailored for specific applications or single sign-on (SSO) platforms.
Latest Updates
Recent updates to Evilginx include:
Enhanced phishlet support for OAuth and SAML-based authentication systems
Improved token parsing for modern cloud service providers
Session replay refinements to reduce detection during real-time hijacking
Expanded TLS management tools for better deployment flexibility
Improved logging for credential and session capture events
Why It Matters
As MFA becomes the norm, attackers have adapted with more advanced phishing tactics. Evilginx reflects this evolution, showing that credentials alone aren’t enough to secure access. By demonstrating how even MFA-protected accounts can be compromised, Evilginx forces organizations to rethink their identity and access security strategies. Used ethically in simulations, it helps teams close critical gaps in phishing defense and session handling.
Requirements and Platform Support
Evilginx runs on:
Linux distributions (Ubuntu, Debian, Kali, etc.)
It requires:
A registered domain name and DNS access
A VPS or cloud server with root privileges
Valid SSL certificates (e.g., via Let’s Encrypt)
Port 80/443 access and basic knowledge of Nginx configuration
Familiarity with phishing concepts and reverse proxies
Evilginx is open-source and available on GitHub at https://github.com/kgretzky/evilginx2. It includes community-supported phishlets, usage guides, and best practices for ethical red team operations.