Evilginx is a powerful open-source man-in-the-middle (MITM) phishing framework designed to bypass traditional multi-factor authentication (MFA) protections. Used by red teamers, penetration testers, and social engineering specialists, Evilginx captures not just credentials but active session tokens by impersonating real websites through reverse proxy techniques. This allows attackers to gain persistent access without needing the victim’s second factor.

Evilginx is not a tool for sending phishing emails—rather, it’s a framework to host highly convincing phishing pages that proxy legitimate login flows in real time. It’s frequently used in advanced phishing simulations and adversary-in-the-middle (AiTM) attack emulation.

First time seeing this?

What Evilginx Does

Evilginx sits between the target and the legitimate website by proxying requests and responses. When a victim visits a phishing link, Evilginx displays a pixel-perfect clone of the target site. As the victim enters their credentials and completes MFA, Evilginx intercepts the entire session—including cookies and tokens—allowing the attacker to impersonate the victim seamlessly.

Unlike static phishing pages, Evilginx dynamically mirrors the live site, bypassing URL verification, content mismatch, and even advanced browser warnings.

Find Tool

Key Features of Evilginx

Reverse Proxy Phishing
Uses a reverse proxy to capture credentials, session cookies, and 2FA tokens by relaying login flows from real websites.

Bypass Multi-Factor Authentication
Intercepts authentication cookies post-login, granting full session access without needing MFA after the initial breach.

Customizable Phishlets
Supports modular configurations (“phishlets”) for targeting specific login portals like Microsoft 365, Google, Facebook, Okta, and more.

HTTPS Support with Let’s Encrypt
Easily deploys valid SSL/TLS certificates for realistic-looking phishing domains.

DNS and Domain Control
Requires proper domain setup and DNS configuration, giving the attacker full control over phishing infrastructure.

Cookie and Token Logging
Automatically logs intercepted session data and credentials for offline analysis or live session hijacking.

Stealth Features
Removes security headers like HSTS and CSP and supports browser fingerprint evasion tactics.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Red Team Engagements
Simulate sophisticated phishing attacks to assess an organization’s resilience against AiTM threats.

Security Awareness Training
Demonstrate real-world phishing risks to executives and employees during social engineering assessments.

Credential Theft Simulation
Emulate modern credential-stealing attacks that go beyond simple username/password harvesting.

Session Hijacking Research
Analyze session security mechanisms and explore how tokens and cookies are managed across cloud platforms.

Phishing Kit Development
Build and deploy custom phishlets tailored for specific applications or single sign-on (SSO) platforms.

Report Incident

Latest Updates

Recent updates to Evilginx include:

• Enhanced phishlet support for OAuth and SAML-based authentication systems

• Improved token parsing for modern cloud service providers

• Session replay refinements to reduce detection during real-time hijacking

• Expanded TLS management tools for better deployment flexibility

• Improved logging for credential and session capture events

  ---

Check Jobs

Why It Matters

As MFA becomes the norm, attackers have adapted with more advanced phishing tactics. Evilginx reflects this evolution, showing that credentials alone aren’t enough to secure access. By demonstrating how even MFA-protected accounts can be compromised, Evilginx forces organizations to rethink their identity and access security strategies. Used ethically in simulations, it helps teams close critical gaps in phishing defense and session handling.

Visit Book Club

Requirements and Platform Support

Evilginx runs on:

• Linux distributions (Ubuntu, Debian, Kali, etc.)

It requires:

• A registered domain name and DNS access

• A VPS or cloud server with root privileges

• Valid SSL certificates (e.g., via Let’s Encrypt)

• Port 80/443 access and basic knowledge of Nginx configuration

• Familiarity with phishing concepts and reverse proxies

Evilginx is open-source and available on GitHub at https://github.com/kgretzky/evilginx2. It includes community-supported phishlets, usage guides, and best practices for ethical red team operations.