Nice. In addition to FIDO2 hardware keys, filtering policies to block newly registered or unknown domains can stop this, and any password manager will stop this as well.

Awesome explanation and ease of use showing. This essentially blows away the MFA security blanket if someone just hit the "yes" button when they think they are logging in to a legitimate session.

Great demonstration. The weakest link is cybersecurity continues to be the user. It is becoming very difficult for normal users to identify phishing and MITM attacks.

I got myself a Yubikey. I love it, not only is it great for security but its so much nicer then typing codes all time. I really do wish more site’s supported it.

There are solutions. The idea behind this whole attack is that it makes a standard MITM attack but there are Auth systems like Zalter Identity which are impossible to break in this way. The idea behind their authentication is that they exchange a signature key on both sides and eventually instead of using tokens to maintain the identity, full message (request) signatures are used to authenticate the user is who they claim they are. Take a look at their product and see whether you're finding it better. Now in regards to the Client Hello fingerprinting that would be fine if the client fingerprint would be fixed. With TLS 3 that's basically not the case for the client. Would, however fulfill the same exact purpose as a user signature key. There are issues with the way you can trust the files in the browser which is basically the main problem. In that regard HSTS and certificate pinning have done something to alleviate the problem but not completely. If the user is fished for though... then nothing can protect them really.

Great information thanks.... But what about Phones then. if people access their email via Phone how will they be able to use a fidokey.?

Great video, but about guardio did you check their privacy policy & ToS ?

how do you typically decide what projects to do and where do you often source your research from? I'm a bit more advanced in my IT and cybersecurity career but am always itching to learn a new skill. I could use some insights on finding new and interesting things to trial and experiment with myself.

does it still works until nowadays? I heard microsoft has implemented a way to prevent this, but I'm just wondering is it still working nowadays

Still It needs a successful Phishing right? Call me old fashion, but I use google authenticator, no pop up notification 🙂

hello, i am having issues with the certificate part. its not installing, its showing "acme: error: 403 :: urn:ietf:params:acme:error:unauthorized" . Please how do i fix it?

HOLY FUCK! lol I’ve analyzed these phishing emails everyday but didn’t know the mfa bypass capabilities… cant wait to go to work lol.. Thanks so much

Microsoft have a version of fido2 passwordless using their Authenticator app and ‘enter the on-screen number’ prompts. Could this be replayed too?

Is the token still valid if the attacker’s connection comes from a different source IP address than the legitimate user?

Not sure if the email address is correct but if it is, you missed some blurring around 3:54 in the link preview at the bottom of the screen

How can something similar be accomplished on a mobile device? Is it possible through the same/similar method?

Great video, thanks Grant!

Just earned a sub, good content. I liked the defensive strategy option at the end. If you're gona expose a problem, better provide a solution (if able to) Most channels dont really do this or its so damn convoluted and drawn out if they do.

May I ask how do you know what DNS record to add for each phishlet? They would need to be different wouldnt they? Great video!

This depends on the user clicking on a link to the fake login site, correct? I hate it when Chrome and other browsers do not show the actual URL in the status bar. Also, the URL address bar just shows the title of the page.

Great Content Boss 😎

Please how do I update my office 365 phish to grab tokens ?

Great video man

great video @collinsinfosec. Do you think that some sort of server+client side validation of the fqdn through javascript (obv. in a secure way) would prevent users from falling on this kind of trap?

Great video!

is it still working as per now februari 2023?

Does this only apply to o365. Are session cookies treated differently for each website? All the tutorials i have seen has been only around office 365

Do you know tool that can gain useful information about a given Facebook account?

Great video sir :)

how did you managed to get that certificate ? You mentioned about lets encrypt cert which In my knowledge shows a Exclamation(!) sign in the website lockpad

Doesn´t Microsoft check source parameters (source IP, type of Browser, etc) of sessions? For exapmle if i would catch sombodys login data and user session and copy it into a different browser / source ip, Microsoft should ask for 2FA Auth. Would be great if someone could elaborate if my thought process is right and that this attack shouldn´t work in the real world.

Very cool video man. Ty!!

Second defence I do out of habit is sign into a website with a horrible to remember unique password and allow the browser to remember it. Then change the password by adding second unique password to the end of the first. When I log in I let the browser auto fill in the first half of the password and then type the second part of the password and decline the option for the browser to update its password. Such an attack with spoofed login screen form an untrusted domain should not be auto filled by the browser, and would prevent me providing the complete password.

Awesome work

why do you use windoe

How are you getting it to trust the SSL cert on the website?

Sir please upload how to start cyber security career in 2022

Do you use a Tower PC or a laptop ?

Thank you so much! !!

Disable Javascript by default and then allow it on a site by site basis stops a number of attacks. When you visit a site such as youtube or webmail login the site has a red x. Enable javascript for this site (if you trust it) and you are protected a number of unknown zero days sitting on other sites you may visit. Man in the Middle also breaks as its javascript is not trusted and not run, unless they have the server's private key for a domain you trust. After you've trusted your most commonly visited sites, you should have little or no problems on them.

Nice demo, but we have not exactly "bypassed" MFA. MFA has been used every time to logon

I don't know how i find you? 😇 But really I'm quietly loving your videos ♥

Great teaching. Just some few setbacks I'm experiencing and I would need your guidance. I'm done setting the lures and a link was generated for me . But i cant access the website cos the server cant be found. is there something I'm not doing right?

Best of the best

Pretty sure this is exactly how MFA was bypassed at Uber

where did you put the ssl cert ?

facebook passwords cannot see in this tool.

good video! deee booo dahhhh

make video on 100% bit locker bypass

Why blur everything? Just create a dummy account and test on it.

evilginx - like nginx is engine x, replace en with evil.

Impressive

Dear FBI, I am watching this video for just educational purposes

heyy buddy can you make some networking content like ccna, ccnp

A more pleasant future for the web would have no user authentication step at all, rather your device would store the cryptographic equivalent of object capabilities. ocaps have an elegant mathematical formalism that opens up completely new ways of working on the web. Of course, while you can build sites this way on the web today, the browser is somewhat hostile toward putting secrets in URLs because it will happily display secret url components to anyone who can see your screen.

Hey buddy make some vlogs ...that'll be great.... and i remember you were a great vlogger....

Please make vd for install this tool and good work

Great

bro blurs the username and password but he forgot to blur token haha

Only amateurs use SMS for MFA. This threat is no threat at all.

Thank you for your videos, If I may ask you to speak a little slowly, not all of us are English mother tongue.

❤❤❤❤❤❤❤❤👍👍👍👍👍👍👍👍

Guardio is overpriced! Just use the brave Browser

lol, fatique attack. how simple is it to disable notifications? are you mad?

Does this still work?