Interesting thing happened this morning, I was doing a demonstration of how to setup Evilginx and perform a token theft so that my clients could demo this for their employees. After the installation was performed flawlessly, I went to do the actual attack and received this error message:
I thought it was odd, so I retried, same error message and then I ended up firing up a video to show the attack. Not as impactful but better than nothing. I've since spent the better part of this day trying to figure out what went wrong. I've tried the following:
- Different browsers in and out of incognito mode
- Different networks
- Different operating systems including mobile devices
- I've also looked into a few different phishlets, but all inevitably give this same error message
- Obviously, different M365 accounts and tenants
What's very strange is that upon inspection of the traffic, it appears that it's looking up an incorrect username, check this out!
This is the username it is requesting, but look at the response!
I've never seen this username and it's always the same email address no matter what account I try. 'selakamo@onmicrosoft.com'. If it's trying to find that username, that would explain why it's not working. One thing that is also quite puzzling is if I use the outlook phishlet, it works, but the sign in screen is a tad different (https://github.com/hidden9090/Evilginx2-Phishlets)
Is anyone else experiencing the same issue?
