How to Bypass 2FA/MFA with Phishing

Cristian Cornea
4 min readJul 20, 2022

In this article, we will discuss how you can bypass Multi-Factor Authentication (MFA) in a Phishing attack, to takeover accounts.

Pre-requirements

  • A good domain to be used. You can also take a look over the repository I’ve put together with some available domains that you can purchase and use for your phishing engagements. You can find the link below.
  • Evilginx2 is installed on your public machine. We will be using this tool in order to act as a Man-in-the-Middle (MitM) between the victim and the official platform we are phishing for (O365, AWS, LinkedIn, and so on).

Creating Phishing Page

Once installed on our machine, we will start Evilginx2 in testing mode using the -developer flag, as shown below.

--

--

Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | SectionX.io | BSides Transylvania