{“lastseen”:”2025-12-03T18:05:10″,”description”:”Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token.\\n\\nResearchers are warning about a rise in cases where this method is used against educational institutions.\\n\\nEvilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in flow so everything looks normal while it captures what it needs. Because it sends your input to the real service, it can collect your username and password, as well as the session cookie issued after you complete MFA.\\n\\nSession cookies are temporary files websites use to remember what you’re doing during a single browsing session\u2013like staying signed in or keeping items in a shopping cart. They are stored in the browser’s memory and are automatically deleted when the user closes their browser or logs out, making them less of a security risk than persistent cookies. But with a valid session cookie the attacker can keep the session alive and continue as if they were you. Which, on a web shop or banking site could turn out to be costly.\\n\\n## Attack flow\\n\\nThe attacker sends you a link to a fake page that looks exactly the same as, for example, a bank login page, web shop, or your email or company’s single sign-on (SSO) page. In reality, the page is a live proxy to the real site.\\n\\nUnaware of the difference, you enter your username, password, and MFA code as usual. The proxy relays this to the real site which grants access and sets a session cookie that says \u201cthis user is authenticated.\u201d\\n\\nBut Evilginx isn’t just stealing your login details, it also captures the session cookie. The attacker can reuse it to impersonate you, often without triggering another MFA prompt.\\n\\nOnce inside, attackers can browse your email, change security settings, move money, and steal data. And because the session cookie says you\u2019re already verified, you may not see another MFA challenge. They stay in until the session expires or is revoked.\\n\\nBanks often add extra checks here. They may ask for another MFA code when you approve a payment, even if you\u2019re already signed in. It\u2019s called step-up authentication. It helps reduce fraud and meets Strong Customer Authentication rules by adding friction to high-risk actions like transferring money or changing payment details.\\n\\n## How to stay safe\\n\\nBecause Evilginx proxies the real site with valid TLS and live content, the page looks and behaves correctly, defeating simple \u201clook for the padlock\u201d advice and some automated checks.\\n\\nAttackers often use links that live only for a very short time, so they disappear again before anyone can add them to a block list.\u200b Security tools then have to rely on how these links and sites behave in real time, but behavior\u2011based detection is never perfect and can still miss some attacks.\\n\\nSo, what you can and should do to stay safe is:\\n\\n * **Be careful with links that arrive in an unusual way.** Don\u2019t click until you\u2019ve checked the sender and hovered over the destination. When in doubt, feel free to use Malwarebytes Scam Guard on mobiles to find out whether it\u2019s a scam or not. It will give you actionable advice on how to proceed.\\n * **Use up-to-datereal-time anti-malware protection **with a web component.\\n * **Use a password manager.** It only auto-fills passwords on the exact domain they were saved for, so they usually refuse to do this on look\u2011alike phishing domains such as paypa1[.]com or micros0ft[.]com. But Evilginx is trickier because it sits in the middle while you talk to the real site, so this is not always enough.\\n * **Where possible, use phishing-resistant MFA.** Passkeys or hardware security keys, which bind authentication to your device are resistant to this type of replay.\\n * **Revoke sessions**if you notice something suspicious**. **Sign out of all sessions and re-login with MFA. Then change your password and review account recovery settings.\\n\\n\\n\\nPro tip: Malwarebytes Browser Guard is a free browser extension that can detect malicious behavior on web sites.\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2025-12-03T15:44:13″,”modified”:”2025-12-03T15:44:13″,”type”:”malwarebytes”,”title”:”Attackers have a new way to slip past your MFA”,”source”:””,”references”:””,”id”:”MALWAREBYTES:692439CB06F7A215093A5522B587E1B6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/12\/attackers-have-a-new-way-to-slip-past-your-mfa”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-03T18:05:10″,”description”:”Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token.\\n\\nResearchers are warning about…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-28471","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n