I recently encountered a troubling situation where a user fell victim to a phishing attack involving Evilginx. They entered their credentials and completed MFA, but luckily we have a policy requiring compliant devices for access to most apps. My concern is whether it's possible for an attacker, even without a compliant device, to enumerate available Entra apps in our setup. I tried accessing myapps.microsoft.com from a non-compliant device and was blocked, but I'm curious if there are other methods an attacker could exploit to discover applications like our RDP client. We're looking into enhancing our security by introducing YubiKeys for non-compliant devices in the future, but I want to understand our potential risks in the meantime.
2 Answers
A key point to remember is that Evilginx doesn’t just capture credentials but can also grab session tokens. So, even with your compliant device policy in place, if an attacker replays a stolen token before you've revoked sessions, they could bypass the checks since the token was issued by a legitimate device. While you're waiting on YubiKeys, consider enabling Entra Identity Protection sign-in risk policies, which can help catch risky sessions based on behaviors like impossible travel or unusual IP addresses. It won't be a perfect fix, but it’s a solid stopgap until you can implement more robust measures.
I've experienced a similar issue before. Evilginx can be especially tricky because it captures both credentials and the session token, allowing the attacker to potentially access accounts later. The good news is your compliant device policy is a huge help, but the concern now is that the attacker has valid credentials. You should definitely reset the user's password and revoke any active sessions immediately. In terms of enumeration, be aware that a savvy attacker with a valid token could access the Graph API to list out apps without hitting the compliance check. I'd recommend checking your sign-in logs for any suspicious activity on that account during the past day.
Thanks for the insights! I'll dive into the Graph API tomorrow. We've done the necessary remediation steps, but I'm just trying to figure out what other risks are out there while we work on getting YubiKeys.
I get that Evilginx captures tokens, but I thought compliant device checks would block any session initiated that way. Can you explain how those tokens can still be exploited?