muraena VS evilginx2

Hello there people of the craft! I'm concerned about the account migration not being the digital heaven dinnerbone has announced, While moving the accounts to the microsoft data seems safer at first, there is a few reasons this can be quite bad news, and this feels like when we were forced to have a google+ accounts. First off, what is technically better with the new authentification system? Like really, expect the chance of microsoft randomly locking your account because you didn't got your password right the first time, what's so great? A anti password brute force system? We already had that with mojang I believe. And it is not like a lot of accounts are hacked using this system anyways, phishing is actually much more used ( where the attacker trick you with a fake email from mojang, and a link going to a fake login that collect your password when you enter it ). But luckily we will have two-factor authentication to PROTECT US ALL from the dangerous local rusian hacker who desperately wants to steal your minecraft account! Cheese and crackers! 2FA doesn't protect you from that ( check out muraena and necrobrowser to see how that's done ). 2FA is almost worthless, just another process to help the microsoft foundation get more of your personal data.

* https://github.com/muraenateam/muraena

No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

WebAuthn almost entirely eliminates phishing risk, and Passkeys are a really nice, clean UX for using WebAuthn.

So I downloaded this onto my computer https://github.com/kgretzky/evilginx2 and that took while since I’m new to GitHub and I barely know my way around computers. That went fine, i noticed there was another repository that was pretty much an add on to that same software I downloaded earlier “evilginx2” by another creator, this is the link https://github.com/simplerhacking/Evilginx3-Phishlets

Did your friend clicked on a phising link, if yes a aitm coud be one of the possibilities: https://github.com/kgretzky/evilginx2

We had a user compromised simiarly the other day, with what I believe to be https://github.com/kgretzky/evilginx2 now. It stole his session cookie and was able to auth. Fortunately, we have Office 365 Defender and he was flagged immediately on the risky user sign-ins and we were able to block and investigate.

Evilginx kan bypass MFA and hijack your session https://github.com/kgretzky/evilginx2 Only thing that migitates this is fido keys

You can try this for web app traffic MIMD: https://github.com/kgretzky/evilginx2