As a penetration tester, you are tasked with conducting a social engineering assessment to evaluate the susceptibility of an organization to phishing attacks. You need to choose a tool that allows you to perform phishing campaigns and potentially bypass multi-factor authentication (MFA). Which of the following tools should you use?

The idea being tested is phishing campaigns that go beyond just stealing passwords by also capturing the factors used for MFA, so you can evaluate whether an attacker could gain access even when MFA is in place. Evilginx is designed for this scenario: it acts as a man-in-the-middle proxy that sits between the user and the real service, presenting a convincing login flow while quietly relaying credentials and MFA-related data (such as session tokens or codes) back to the attacker. By harvesting these tokens, the tester can reproduce an authenticated session without needing the user to complete an MFA prompt on the actual service, which makes it a powerful tool for assessing MFA resilience in a controlled, authorized engagement. Burp Suite is a general web app testing proxy and can simulate many web interactions, but it’s not built specifically to bypass MFA through phishing. Metasploit focuses on exploitation and payload delivery, not phishing-based MFA bypass. Maltego is used for OSINT and relationship mapping, not for conducting phishing campaigns.