S9003: evilginx2
Analyst context for executives and security teams
evilginx2 matters because it is an open-source adversary-in-the-middle framework designed to sit between a user and legitimate cloud or web services, enabling capture of credentials, authentication tokens, and session cookies. For leaders, the key issue is not only phishing risk; it is whether MFA, SaaS, office suite, identity provider, and IaaS access can be abused through stolen sessions even when passwords and second factors are in use.
Executive priority
Prioritize this as an identity and cloud resilience issue. Executives should ask whether the organization can detect suspicious session use, token or cookie theft, AiTM-style login flows, and post-authentication access to SaaS, office suite, identity provider, and IaaS platforms. This object supports budgeting and audit conversations around phishing-resistant authentication, session governance, identity telemetry retention, and incident response playbooks for stolen credentials and web sessions.
Technical view
MITRE provides no official detection text for evilginx2, so SOC and IR teams should validate coverage through the related behaviors: MFA interception, adversary-in-the-middle activity, stolen web session cookies, spearphishing links, web protocol use, external proxying, JavaScript execution, data obfuscation or encoding, and possible certificate trust manipulation. Detection engineering should focus on identity-provider and SaaS events around anomalous sign-ins, session reuse, unusual token or cookie behavior, suspicious source infrastructure, and user-reported phishing links, while recognizing that web traffic and proxy patterns can blend into normal HTTP/S activity.
Likely telemetry
- Identity provider sign-in, MFA challenge, token, session, and conditional-access logs
- SaaS, office suite, and IaaS audit logs for authentication and session activity
- Web proxy, DNS, secure web gateway, and HTTP/S metadata related to phishing links and proxy infrastructure
- Email security and user-reporting telemetry for spearphishing links
- Endpoint/browser telemetry where available for certificate store changes, browser session artifacts, and suspicious JavaScript execution
Detection direction
- Validate that identity and SaaS logs retain enough detail to investigate stolen-session and MFA-interception scenarios, not just failed logins.
- Tune for impossible or unusual session transitions, changes in source network characteristics, suspicious user-agent or proxy behavior, and access to cloud services after phishing-link interaction.
- Correlate email or web-click telemetry with subsequent identity-provider, office suite, SaaS, and IaaS authentication events.
- Review visibility into certificate trust changes because the related behavior includes installing root certificates, but avoid assuming this occurs in every evilginx2 case.
- Account for false positives from legitimate proxies, VPNs, travel, and managed browser/security tools; detections should rely on correlated identity, network, and user behavior rather than a single web indicator.
Mitigation priorities
- Strengthen identity controls first: prefer phishing-resistant authentication where feasible and enforce risk-based access and session controls for identity provider, SaaS, office suite, and IaaS platforms.
- Reduce session abuse impact by reviewing token lifetime, reauthentication requirements, device posture checks, and procedures for rapid session revocation during incidents.
- Maintain phishing-link prevention and response processes, including email/web filtering, user reporting, and rapid investigation of reported credential-harvesting pages.
- Ensure incident response playbooks cover credential reset, MFA factor review, token/session invalidation, audit-log preservation, and cloud/SaaS access review.
- Harden endpoint and browser environments where relevant, including monitoring for unauthorized root certificate installation and suspicious browser/session activity.
Analyst notes and limits
The supplied ATT&CK object identifies evilginx2 as an open-source AiTM reverse-proxy framework based on nginx and lists platforms as IaaS, Identity Provider, Office Suite, and SaaS. The relationship set strongly frames the risk around credential access, collection, web sessions, MFA interception, web protocols, proxies, spearphishing links, and stealth-related behaviors. This should be treated as a validation prompt for identity, cloud, SOC, and IR readiness rather than as proof of activity in any environment.
MITRE did not provide official detection text, aliases, labels, or tactics directly on the tool object. The assessment is limited to the official description, external references, platforms, and stated ATT&CK relationships. Local telemetry, identity architecture, SaaS configuration, and incident evidence are required to determine actual exposure or detection coverage.
evilginx2
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.007 | JavaScript Sub-technique | evilginx2 can inject JavaScript code into HTML content to customize phishing attacks.CitationBreakdev Evilginx 2.3 JAN 2019 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | evilginx2 has the ability to hide phishing lures for a set time to avoid scanning by sandboxes.CitationBreakdev Evilginx 3.2 AUG 2023 |
| Enterprise | T1480 | Execution Guardrails | evilginx2 can reject requests to phishing URLs if the User-Agent of the visitor doesn't match the allowlist REGEX filter for a specific lure.CitationBreakdev Evilginx 2.4 SEP 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | evilginx2 can collect information on each session with a victim including the session cookie.CitationEvilginx 2 July 2018CitationSophos Evilginx MAR 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | evilginx2 can proxy HTTPS connections between victims and destination websites.CitationEvilginx 2 July 2018CitationBreakdev Evilginx 2.4 SEP 2020CitationBreakdev Evilginx 3.3 APR 2024 |
| Enterprise | T1557 | Adversary-in-the-Middle | evilginx2 has the ability to act as an adversary-in-the-middle (AiTM) relay between a legitimate website and a phished user to capture all transmitted data including usernames, passwords, authentication tokens, and session cookies and tokens.CitationEvilginx 2 July 2018CitationBreakdev Evilginx 3.0 May 2023CitationBreakdev Evilginx 3.2 AUG 2023CitationSophos Evilginx MAR 2025 |
| Enterprise | T1185 | Browser Session Hijacking | evilginx2 can inject custom POST arguments into requests to silently enable "Remember Me" options during authentication to stay logged in across browser sessions.CitationBreakdev Evilginx 2.2 NOV 2018 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | evilginx2 can intercept authentication tokens to enable bypass of non-phishing resistant forms of MFA.CitationEvilginx 2 July 2018 |
| Enterprise | T1132 | Data Encoding | evilginx2 can randomly generate and Base64 encode parameters in phishing links to defeat static detection.CitationBreakdev Evilginx 2.4 SEP 2020 |
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | evilginx2 has obtained a valid SSL/TLS certificate from LetsEncrypt to provide responses to Automatic Certificate Management Environment (ACME) challenges.CitationEvilginx 2 July 2018 |
| Enterprise | T1090.002 | External Proxy Sub-technique | evilginx2 can route traffic via SOCKS5 and HTTP(S) proxies between an intended phishing victim's machine and legitimate websites.CitationEvilginx 2 July 2018CitationBreakdev Evilginx 2.4 SEP 2020CitationSophos Evilginx MAR 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | evilginx2 can capture information from each session with a victim including the public IP used to access the server and the user agent.CitationSophos Evilginx MAR 2025 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | evilginx2 can generate and display phishing URLs including hidden tracking pixels and can also embed URLs within iframes for browser-in-the-browser phishing.CitationBreakdev Evilginx 2.3 JAN 2019CitationBreakdev Evilginx 3.3 APR 2024CitationSophos Evilginx MAR 2025 |
| Enterprise | T1001 | Data Obfuscation | evilginx2 can modify the Origin and Referrer fields in HTTPS headers it relays between intended victims and legitimate websites to comply with cross-origin resource sharing (CORS) restrictions.CitationEvilginx 2 July 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e8f6edebd367… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Evilginx 2 July 2018
Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.
Open source URL -
[2]
Breakdev Evilginx 2.1 SEP 2018
Gretzky, K. (2018, September 10). Evilginx 2.1 - The First Post-Release Update. Retrieved January 27, 2026.
Open source URL -
[3]
Sophos Evilginx MAR 2025
Everts, M. (2025, March 28). Stealing user credentials with evilginx. Retrieved January 27, 2026.
Open source URL -
[4]
mitre-attack S9003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.