I Stole a Microsoft 365 Account. Here's How.
https://jh.live/evilginx || Get phishing into your next red team assessment or penetration test, and make it a breeze with Evilginx! Use my link for 20% the Evilginx Mastery course: https://jh.live/evilginx
PS, I’ll be presenting for the CloudSec 360 webinar with Wiz on the MOVEit Transfer exploitation — tune in on November 8th! https://jh.live/wiz360
Free Cybersecurity Education and Ethical Hacking
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/discord ↔ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
by John Hammond
linux web server
This won't work until target is an IT illiterate and follow phishing mails.
You did not stole anything. You just another YT level "security expert".
1. you clicked the link that would be blocked, you even demonstrated that.
2. you authorized the access as well through MFA
3. you did not get access to everything as Admin portal is separate and would require separate authentication
4. impossible travel will be detected as soon as you will login and even if you wait your auth token will expire.
What is the difference between simply installing trojan on user PC and this approach. None. This approach is shit. This video is shit as it just tries to sell some more shit.
What would make sense for the video if evilginx would be installed on router sitting silently and updating silently, on a router you would not have powerful antivirus and there would be no impossible travel detection.
who ever idea make .zip top level domain should be in jail
main problem is its went to junk folder 😂
It’s not stealing if you ask for it and they give it to you willingly. 😉
have programmed a HTML+CSS phishing website for my business. and I want to know how to get what user are typing on the login page so I can se if they are given out sensitive information
All these cookies made me hungry…
So, time to start moving to FIDO keys I guess.
Really a nice thing. Nevertheless, this thing only caught people who dont know anything about URL.
Worst click bait video I've seen. This is basic self phishing and the email went straight to JUNK 😂. What kind of idiot would click on that link
I worry that this information will end up being used by bad actors instead of pen testers 🙁
1- so the password it's not actually revealed or was it "Super Secret Password"?
2- we just care about the tokens and/or the session cookie because of the 2FA?
3- what about the certificates, how do they look, are they self signed?
4- ta 16:19 it says the session cookie is not found, what does that mean?
5- how does the reversey proxy prompt for MFA and send it to the victim's actual phone and generate a valid session cookie for the actual 365 service? is that the fishlet?
Nice video john
Insightful ! Thanks for sharing this man.
Well done John!
pretty tired of these videos lacking real substance. All credit to John for raising awareness, but would be much more informative to give a realistic sense of things to people instead of a magical phishing solution. I wouldn't advise anyone to waste time here because let's talk about a few things. John glazed very slickly over the email going to junk email. that's going to be a very significant problem, unless you get all your records in order, dmarc etc, buy a trusted domain and warm it up a bit, not to mention the avoidance of 'security' in the header, lol. also there's smartscreen, conditional access policies to contend with if the victim's IT team at least know anything about security. hence why the founder of this tool is now rolling out 'evilginx pro', evilpuppet and is now going to charge 1500 EUR for only vetted red teamers to get access to working phishlets. don't expect phishlets to work out the box. it won't work on LinkedIN due to the secret token. there are a million other better videos on this on YouTube from domain registration to deployment, so people should start from there. also, let's not forget that the tool's author bakes in some easter eggs that you should remove before using this. the tool has become less and less useful over the years and it's hard to not argue that it's not some baked-in obsolecense from the author to first make people buy the 'evilginx mastery' course and to then entrap them in more and more purchases.
You're root … Why sudo?:)
Which software would you guys recommend that is best for recovering files from Android phones. I use windows btw
There is one simple solution. Tradermarked names like onedrive or microsoft should not be allowed to be used in domains. This would solve 99% of phishing. Does stolen cookie leave login ip trace? I wonder if checking login history based on ip is secure enough or not anymore.