{
	"id": "d59ae27f-ea7b-44f3-9124-8e81e74d9a4a",
	"created_at": "2026-04-06T01:30:56.818457Z",
	"updated_at": "2026-04-10T13:11:26.419216Z",
	"deleted_at": null,
	"sha1_hash": "ceea5f8d94c096a0593dba350d8442f0ebb5ec1e",
	"title": "The art of defense evasion -part — 3 Bypass Multi Factor Authentication (MFA)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 552435,
	"plain_text": "The art of defense evasion -part — 3 Bypass Multi Factor\r\nAuthentication (MFA)\r\nBy Osama Ellahi\r\nPublished: 2022-04-07 · Archived: 2026-04-06 00:10:45 UTC\r\nAttackers are bypassing MFA for almost 4 years, when evilginx2 was released. There were a lot of limitations but\r\nlist benefits and use cases handed by evilginx2 are greater. Evilginx2 actually use reverse proxy server which sits\r\nin between your victim and original server and after successfully tokens communicated, it also saved them.\r\nPress enter or click to view image in full size\r\nhttps://macrosec.tech/index.php/2021/01/25/phishing-attacks-with-evilginx2/\r\nAfter studying the code of old tools, we tried to come up with some new bypass techniques. These techniques\r\nwere also used by some threat actors. And it also requires so much hard work.\r\nPress enter or click to view image in full size\r\nThere are tools (Selenium, Playwright, etc.) available in the market which performs web automation, the purpose\r\nof these tools is to test the website’s performance. So we use this automation against MFA.\r\nhttps://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nPage 1 of 5\n\nOFFODE\r\nTo give POC (Proof of concept) of our idea, we build a tool {{OFFODE}} which performs bypass of outlook and\r\ngets whole control of office.com.\r\nThis tool can be deployed on window’s machine, window’s server and Linux server as well. Since it is developed\r\nin node js and playwright, it is compatible with every device.\r\nIt is recommended to use it UI Operating system (Not CLI based). Because cookies saving part is still in\r\nprogress. And if you are using UI operating system you can perform actions from logged in browser.\r\nAt the end it will give you logged in outlook account (of victim) in the browser which can be used as intention. It\r\nwill be more clear if you watch this picture.\r\nPress enter or click to view image in full size\r\nHow this tool works ?\r\nOnce user opens the link he/she will see the login page of outlook, enter email and press enter.\r\nServer will automatically opens a new browser on server side (using playwright) and enter same email which user\r\ngave and press enter. If the email exist server will show the user password screen, otherwise give response email is\r\nnor correct.\r\nUser will enter password (maybe correct, maybe not) and press enter.\r\nServer will give this password to already opened browser and press enter and wait for response, if password is\r\nincorrect, server will show user incorrect password screen with error from original server. If password is correct\r\nhttps://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nPage 2 of 5\n\nserver will watch is there is any MFA enable in this account. If no MFA is enabled server will get the session, try\r\nto intercept the cookies(in progress) and save them in public directory with filename of user’s email. If there is\r\nMFA enable, server will check which MFA is it and show user same page.\r\nIf user set up authentication app OTP in MFA, he/she will be asked for OTP which is in the Microsoft auth app\r\njust like original server asks. User will enter those digits from authentication app and press enter.\r\nGet Osama Ellahi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nServer will automatically enter those digits on the original server and perform actions accordingly. Same is the\r\ncase with mobile number OTP case.\r\nInstallation\r\nAt first install node js in your system and then download the project from this link. After that use following\r\ncommands to install all dependencies of project\r\nnpm install\r\nOnce all dependencies are installed, try installing playwright with following command.\r\nnpm install playwright\r\nAfter installation of playwright start your project with this command.\r\nnpm start\r\nBy default it will start with 8888 port. To test you can use it with ngrok also.\r\nUse Cases\r\nSince this is just a POC of new technology so we try to cover all the use cases but this tool will always need\r\nmanagement.\r\nAutomation on server side and showing users saved pages with dynamic changing can widely be used\r\non other platforms and websites.\r\nWe cover following use cases.\r\nCase 1: Basic Email \u0026 Password\r\nThis is simple case where server checks for the user’s email validation, password validation and saves tokens.\r\nPerson on server side can open outlook.com and office.com of user.\r\nhttps://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nPage 3 of 5\n\nCase 2: Authentication OTP\r\nServer will watch if user has enabled the Microsoft authentication app OTP. Then server will perform action\r\naccording to the situations.\r\nCase3: Phone Number OTP\r\nServer checks if user have set phone number OTP. It will ask user the same thing that original server is asking to\r\nnode server.\r\nhttps://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nPage 4 of 5\n\n— — — — — — — — — — — — — — — — — — — — — — — — — — — — —\r\nWe are regularly watching this tool for better performance and further changing. And we would\r\nlove to see your suggestions and comments.\r\nSource: https://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nhttps://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f"
	],
	"report_names": [
		"the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f"
	],
	"threat_actors": [],
	"ts_created_at": 1775439056,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ceea5f8d94c096a0593dba350d8442f0ebb5ec1e.pdf",
		"text": "https://archive.orkl.eu/ceea5f8d94c096a0593dba350d8442f0ebb5ec1e.txt",
		"img": "https://archive.orkl.eu/ceea5f8d94c096a0593dba350d8442f0ebb5ec1e.jpg"
	}
}