Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token.
Researchers are warning about a rise in cases where this method is used against educational institutions.
Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in flow so everything looks normal while it captures what it needs. Because it sends your input to the real service, it can collect your username and password, as well as the session cookie issued after you complete MFA.
Session cookies are temporary files websites use to remember what you’re doing during a single browsing session–like staying signed in or keeping items in a shopping cart. They are stored in the browser’s memory and are automatically deleted when the user closes their browser or logs out, making them less of a security risk than persistent cookies. But with a valid session cookie the attacker can keep the session alive and continue as if they were you. Which, on a web shop or banking site could turn out to be costly.
Attack flow
The attacker sends you a link to a fake page that looks exactly the same as, for example, a bank login page, web shop, or your email or company’s single sign-on (SSO) page. In reality, the page is a live proxy to the real site.
Unaware of the difference, you enter your username, password, and MFA code as usual. The proxy relays this to the real site which grants access and sets a session cookie that says “this user is authenticated.”
But Evilginx isn’t just stealing your login details, it also captures the session cookie. The attacker can reuse it to impersonate you, often without triggering another MFA prompt.
Once inside, attackers can browse your email, change security settings, move money, and steal data. And because the session cookie says you’re already verified, you may not see another MFA challenge. They stay in until the session expires or is revoked.
Banks often add extra checks here. They may ask for another MFA code when you approve a payment, even if you’re already signed in. It’s called step-up authentication. It helps reduce fraud and meets Strong Customer Authentication rules by adding friction to high-risk actions like transferring money or changing payment details.
How to stay safe
Because Evilginx proxies the real site with valid TLS and live content, the page looks and behaves correctly, defeating simple “look for the padlock” advice and some automated checks.
Attackers often use links that live only for a very short time, so they disappear again before anyone can add them to a block list. Security tools then have to rely on how these links and sites behave in real time, but behavior‑based detection is never perfect and can still miss some attacks.
So, what you can and should do to stay safe is:
- Be careful with links that arrive in an unusual way. Don’t click until you’ve checked the sender and hovered over the destination. When in doubt, feel free to use Malwarebytes Scam Guard on mobiles to find out whether it’s a scam or not. It will give you actionable advice on how to proceed.
- Use up-to-date real-time anti-malware protection with a web component.
- Use a password manager. It only auto-fills passwords on the exact domain they were saved for, so they usually refuse to do this on look‑alike phishing domains such as paypa1[.]com or micros0ft[.]com. But Evilginx is trickier because it sits in the middle while you talk to the real site, so this is not always enough.
- Where possible, use phishing-resistant MFA. Passkeys or hardware security keys, which bind authentication to your device are resistant to this type of replay.
- Revoke sessions if you notice something suspicious. Sign out of all sessions and re-login with MFA. Then change your password and review account recovery settings.
Pro tip: Malwarebytes Browser Guard is a free browser extension that can detect malicious behavior on web sites.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.