Evilginx - Advanced Phishing with Two-factor Authentication Bypass
Parameters in the URL stand for:
rc = On successful sign-in, victim will be redirected to this link e.g. document hosted on Google Drive.
rt = This is the name of the session cookie which is set in the browser only after successful sign-in. If this cookie is detected, this will be an indication for Evilginx that sign-in was successful and the victim can be redirected to URL supplied by rc parameter.
Victim receives attacker's phishing link via any available communication channel (email, messenger etc.).
Victim clicks the link and is presented with Evilginx's proxied Google sign-in page.
Victim enters his/her valid account credentials, progresses through two-factor authentication challenge (if enabled) and he/she is redirected to URL specified by rc parameter. At this point rd cookie is saved for notreallygoogle.com domain in victim's browser. From now on, if this cookie is present, he/she will be immediately redirected to rc URL, when phishing link is re-opened.
Attacker now has victim's email and password, as well as session cookies that can be imported into attacker's browser in order to take full control of the logged in session, bypassing any two-factor authentication protections enabled on victim's account.