Interesting thing happened this morning, I was doing a demonstration of how to setup Evilginx and perform a token theft so that my clients could demo this for their employees. After the installation was performed flawlessly, I went to do the actual attack and received this error message:
I thought it was odd, so I retried, same error message and then I ended up firing up a video to show the attack. Not as impactful but better than nothing. I've since spent the better part of this day trying to figure out what went wrong. I've tried the following:
- Different browsers in and out of incognito mode
- Different networks
- Different operating systems including mobile devices
- I've also looked into a few different phishlets, but all inevitably give this same error message
- Obviously, different M365 accounts and tenants
What's very strange is that upon inspection of the traffic, it appears that it's looking up an incorrect username, check this out!
This is the username it is requesting, but look at the response!
I've never seen this username and it's always the same email address no matter what account I try. 'selakamo@onmicrosoft.com'. If it's trying to find that username, that would explain why it's not working. One thing that is also quite puzzling is if I use the outlook phishlet, it works, but the sign in screen is a tad different (https://github.com/hidden9090/Evilginx2-Phishlets)
Is anyone else experiencing the same issue?
Update (6-29-25)
After being granted access to the Discord server for evilginx, it turns out I wasn't the only one having this issue. It appears to be released to the way that Evilginx is compiling. There appears to be a library file that has been updated that doesn't exactly jive with Evilginx. If you use the pre-compiled version of Evilginx, everything works as intended.
Here's the link to the pre-compiled version by kgretzky - https://github.com/kgretzky/evilginx2/releases/tag/v3.3.0
I agree that compiling your own version is much cooler, but the pre-compiled works and has fewer steps!
