Summary of "I Stole a Microsoft 365 Account. Here's How."

Overview

The video is a demonstration (and instruction) of how an attacker could take over a Microsoft 365 account by combining social engineering with a tool called evilginx.

Attack premise

The creator claims they can steal a victim’s Microsoft 365 login by:

1. Fooling the victim into visiting a phishing link.
2. Using evilginx as a reverse proxy (man-in-the-middle) so the victim appears to authenticate with the real Microsoft domain.
3. Bypassing MFA (from the attacker’s perspective) by capturing authentication/session artifacts (such as tokens/cookies) during the authentication flow.
4. Later using the captured session details to gain full access to the account.

Why evilginx is central

evilginx is presented as a reverse proxy “fishing” framework that can “listen in” on the authentication session. The key emphasized capability is that:

• the victim completes a real login to Microsoft, and
• the attacker collects the session information needed to reuse it.

Because the attacker captures the session artifacts after the successful login, MFA prompts do not stop the takeover once the session is captured.

Infrastructure setup

The creator walks through deploying an evilginx setup on a cloud server (using a DigitalOcean droplet) and installing the required tooling (Go, git, build steps). The process includes:

• pulling evilginx from an open-source repository, and
• building it locally.

Phishing domain preparation

The video highlights creating realistic lookalike subdomains under an attacker-controlled domain (for example, domains that appear related to “OneDrive” / Microsoft branding). These subdomains are intended to match what evilginx phishlets expect.

Phishlets (configuration)

Phishlets are described as the “how-to” configuration for a specific site. A key workflow step is loading a Microsoft 365 phishlet YAML file that defines, among other things:

• minimum evilginx version,
• proxy host/subdomain mapping,
• login/authentication parameters,
• how to capture tokens/cookies after successful login.

The creator notes that crafting phishlets is “art + science” and typically requires inspecting browser developer tools/network traffic to determine what values are needed (e.g., authenticity tokens, HTTP methods, and cookies). They also mention a ready-made phishlet ecosystem (referred to as an “evilginx mastery” ecosystem).

Operational steps in evilginx

The process shown includes:

• Load the phishlet and verify it is enabled (initially disabled, then enabled).
• Configure evilginx with:
  • the phishing hosting domain,
  • the evilginx server IP address,
  • the specific phishlet hostname mapping for the target.
• Create a lure (the exact URL/hook sent to victims) and generate a URL that redirects victims into the phishing flow.

Social engineering / lure email

The creator drafts an email impersonating a OneDrive update/security update message to a Microsoft 365 admin address in a staged tenant. The email includes the generated evilginx lure URL and is intended to get the victim to click and then enter credentials.

Demonstrated takeover flow (end-to-end)

1. The victim clicks the phishing link and sees a Microsoft OneDrive login page.
2. The victim enters username/password into what appears to be the real Microsoft login page.
3. The victim completes MFA (approves on their phone).
4. evilginx detects successful authorization, intercepts the authorization URL/token, and captures the session cookie(s).
5. The attacker imports those cookies into a cookie editor and accesses office.com, effectively logging into the full Microsoft 365 account without re-entering credentials.

Outcome / claim

The video concludes that the method enables “stolen Microsoft 365 account” access by combining:

• phishing/social engineering to obtain the user’s real login,
• evilginx reverse-proxy/session capture to neutralize MFA in practice for the attacker,
• phishlets tailored to Microsoft 365 (and potentially other websites).

Presenters / contributors

• Kuba Gretzky (creator/author associated with evilginx; referenced as behind the tool and courses)
• Video creator/presenter (unnamed in the subtitles; narrator demonstrating setup and the attack)

Category

News and Commentary

---

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

---

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Reprocess summary

Video