During an engagement, a penetration tester decides to use social engineering to capture MFA.

The correct answer is A. Evilginx

Evilginx is a phishing framework commonly associated with adversary-in-the-middle phishing attacks. It can proxy authentication traffic between a victim and a legitimate service, allowing the attacker to capture credentials and session tokens. Because session tokens may be captured after successful authentication, Evilginx is known for being able to defeat or bypass some MFA workflows during authorized social engineering assessments.

B is incorrect because the listed commands resemble a phishing module configuration, but they are not the best-known or most appropriate option for capturing MFA/session tokens.

C is incorrect because wget portal.office.com only retrieves web content, and setting an environment variable named MFA does not create an MFA capture capability.

D is incorrect because Recon-ng is an OSINT and reconnaissance framework. It is used for information gathering, not for capturing MFA tokens or conducting adversary-in-the-middle phishing.

In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing, credential harvesting, and MFA/session-token capture techniques used during authorized engagements.