Inside Operation - STAR BLIZZARD: MFA Bypass via Adversary-in-the-Middle (AiTM)

When passwords no longer keep attackers out, and even Multi-Factor Authentication (MFA) can be bypassed... welcome to the icy operations of Star Blizzard—a Russia-backed cyber espionage group targeting critical defense infrastructure across NATO, the UK, and the U.S.

Your mission? Become the adversary.

This lab will put you in the role of a state-sponsored threat actor and reenact a scenario that was influenced by one of the scariest attack chains in recent memory: MFA Bypass via Adversary-in-the-Middle (AiTM).  This is no longer theoretical.  This is how contemporary espionage in the digital trenches looks.

APT Background: The Cold Precision of Star Blizzard

Star Blizzard, a Russian state-sponsored cyber espionage organization, also known by the aliases TA446 and SEABORGIUM. The gang, which has been active since at least 2017, is thought to be connected to Russia's FSB and is notorious for attacking government organizations, defense contractors, think tanks, and private citizens in the United Kingdom, the United States, and NATO countries.

• The SolarWinds supply chain breach
• Long-term intrusions into defense and diplomatic networks
• Weaponizing cloud identity systems and SSO platforms

Their focus isn’t monetary—it’s intelligence. And their approach is surgical.

With increasing reliance on cloud platforms like Azure AD, adversaries like Star Blizzard adapt and thrive in modern identity-centric environments.

Behind the Curtain: How Star Blizzard Moves

This operation is not just about sending random emails. It’s about deception at scale, using reverse proxies like Evilginx to manipulate the trust chain in real-time.

In this lab, you’ll replicate this chain of operations:

1. Deploy a phishing infrastructure: Already preconfigured in your lab environment using Evilginx.
2. Craft and deliver the lure: A seemingly legitimate link, hiding a trap beneath.
3. Intercept MFA and session cookies: Gain full Azure portal access by capturing live authenticated tokens.
4. Access sensitive resources: Without any username or password prompts.
5. Find the hidden flag: Just like a real threat actor seeking valuable org secrets.

The Technical Arsenal

• AiTM Phishing using Evilginx2
• Azure Portal Cookie Hijacking
• Session Persistence via ESTSAUTH tokens
• Real-time Phish-to-Access Operations

This lab brings you face-to-face with one of the most effective MFA bypass techniques, used by advanced groups to gain cloud access without ever needing to crack MFA.

“This is how real breaches start—one deceptive click at a time.”

The Objective

Star Blizzard isn’t after noise—they’re after access, intel, and stealth. In their campaign, they didn’t just phish credentials. They went further.

• They intercepted MFA tokens.
• They harvested live session cookies.
• And they walked into Azure portals like ghosts.

Your challenge in this simulation is to execute a highly targeted AiTM phishing campaign and gain unauthorized access to a cloud identity platform—without ever needing the victim’s MFA device.

Attack Flow

Attack Chain Breakdown

1. Infrastructure Setup by Threat Actor

• Phishing Web Application is launched and used to manage the AiTM campaign.
• Evilginx Toolkit is already configured in the backend to perform real-time proxying of victim traffic (captures credentials and session cookies).

2. Attack Flow

Step 1: Generate Lure Link (via Evilginx)

• A deceptive phishing link is auto-generated.
• This link mimics a legitimate Microsoft login page and is hosted on the Evilginx proxy.

Step 2: Send Phishing Email

• Attacker crafts an email using a predefined template with the lure URL.
• Email is sent to the victim from within the phishing web interface.
• The victim clicks on the link thinking it’s authentic.

Step 3: Capture Credentials + MFA

• The victim is proxied through Evilginx:

1. Enter username and password.
2. Submits TOTP-based MFA (bypassed using Evilginx’s real-time proxying).

• Session cookies (ESTSAUTH, ESTSAUTHPERSISTENT) are intercepted.

Step 4: Session Hijacking

• Attacker retrieves session cookies from the web interface.
• Opens https://portal.azure.com, injects cookies via browser DevTools.
• Gains authenticated session access as the victim without needing to re-authenticate.

Step 5: Privilege Escalation & Recon

• Accesses the Azure portal as the victim user
• Navigates to user properties to identify sensitive information.
• Finds flag in the Department field under “Job Information”.

Can You Steal the Flag Before the Cookie Expires?

You have a small window of opportunity. The cookies are valid, but time is against you.

• Will you capture them in time?
• Will you pivot inside Azure and extract the sensitive department-level flag?
• Or will the session die before you reach the target?

Step into the adversary’s shoes. Execute the campaign. Evade detection.

Then ask yourself: if you can do this in 20 minutes… imagine what an APT can do in 20 days.

Train Like the Adversary

If you want to experience this attack first-hand—not just read about it—this lab is live on the Infinity Platform, where you can simulate Star Blizzard’s operations in a safe, hands-on environment.

[Access Lab Here]

Infinity is a threat emulation platform that lets you train like nation-state APTs, with full visibility into each phase of the attack.