What Is EvilProxy?

EvilProxy is a major Phishing-as-a-Service (PhaaS) platform offering subscription-based adversary-in-the-middle (AiTM) phishing and account takeover services. Operating since at least 2023 on the dark web, EvilProxy represents one of the top three PhaaS platforms globally alongside Tycoon 2FA and Sneaky 2FA, enabling threat actors to conduct enterprise-grade credential theft and session hijacking attacks with minimal technical skill. EvilProxy is particularly known for targeting high-level executives and critical infrastructure organizations.

How Does EvilProxy Work?

Service Model

EvilProxy operates on a per-campaign pricing structure. Microsoft 365 targeting costs $150-$400 for 10-31 days according to Resecurity and Proofpoint. Google Workspace targeting costs $250-$600 for 10-31 days. Custom targeting is available with negotiable pricing. Service tiers are based on campaign duration and target service.

Dark web distribution occurs via Tor-hosted control panels using .onion domains. The primary business channel is Telegram with administrator "John_Malkovich." SSH access is provided to customers for infrastructure control. Automated installation scripts enable rapid deployment. Docker containerization provides scalable infrastructure management.

Attack Architecture

The reverse proxy adversary-in-the-middle flow consists of thirteen steps. First, a threat actor subscribes to EvilProxy service for a target organization. Second, EvilProxy provides Docker containers with reverse proxy configured. Third, the attacker deploys containers on compromised or rented infrastructure. Fourth, the attacker generates a phishing domain using lookalike or URL-shortened domains.

Fifth, a phishing email campaign is sent with links to the EvilProxy-hosted proxy. Sixth, a victim clicks the link and enters credentials on the fake login page. Seventh, EvilProxy intercepts credentials and forwards them to the legitimate service. Eighth, an MFA challenge is presented to the victim on the phishing page. Ninth, the victim enters their MFA token.

Tenth, EvilProxy captures the token and forwards it to the legitimate service before expiration. Eleventh, the legitimate service grants authentication and issues a session cookie. Twelfth, EvilProxy captures the session cookie and delivers it to the attacker. Thirteenth, the attacker can log in with the captured session cookie without MFA re-entry because the session is authenticated.

Core Technologies

Reverse proxy infrastructure uses Docker containerization for rapid deployment and scaling. Real-time traffic interception operates between victim and legitimate service. HTTPS transparent proxying with SSL/TLS re-encryption maintains encryption appearance. Cookie injection and manipulation enable session capture. Session token capture and reuse provide persistent access.

MFA bypass mechanisms include real-time MFA challenge interception and relay. Support includes SMS OTP, TOTP authenticator apps, and push notifications. Risk-based MFA bypass appears as legitimate user activity. Device recognition bypass uses stolen sessions to circumvent device checks.

Anti-detection features include user-agent analysis to identify security tools, IP reputation checking to block security vendor IPs, browser fingerprinting to detect sandboxes, JavaScript injection for legitimate-looking error messages, and credential validation before completion to reduce failed attempts.

How Does EvilProxy Compare to Other Platforms?

Compared to Sneaky 2FA, EvilProxy holds 8% market share versus 3-6% for Sneaky 2FA according to Infosecurity Magazine and Barracuda Networks. EvilProxy focuses on multi-service and executive-targeting while Sneaky 2FA is Microsoft 365-focused. Operational history shows EvilProxy active since 2023 as mature versus Sneaky 2FA emerging in 2024-2025. Sophistication is high for EvilProxy compared to moderate-high for Sneaky 2FA. Targeting strategy is strategic focusing on executives for EvilProxy versus volume-based targeting education for Sneaky 2FA.

Against traditional phishing kits, EvilProxy offers real-time MFA relay versus no MFA bypass. Session hijacking is a core feature versus none. Attacker skill required is very low using Docker and credentials versus low-medium with manual setup. Operational lifespan is 10-31 days per campaign versus hours (36-48). Evasion sophistication is high with fingerprinting and validation versus moderate with basic obfuscation. Support is Telegram vendor-provided versus community only. Cost structure is per-campaign pricing versus one-time purchase. Scalability is multi-tenant infrastructure versus single-operator. Infrastructure control is customer-managed Docker versus attacker-found hosting.

Why Does EvilProxy Matter?

Attack Scale

Monthly attacks exceeded 1 million EvilProxy attacks detected in 2024 according to Proofpoint and The Register. Early 2025 attacks continued at scale, contributing to 1M+ PhaaS attacks in January-February. Market share reached 8% of PhaaS attacks, positioning it as a second-tier platform. Attempted account takeovers involved EvilProxy in 1M+ attempted ATOs in early 2025.

Geographic Reach

Attacks were detected globally across multiple continents. Primary targeting focused on United States organizations. Secondary targeting included Europe, Australia, and APAC region. Operations based on the dark web enable truly global threat distribution.

Organizational Impact

Over 100 organizations were targeted globally in major campaigns according to Okta Threat Intelligence and Proofpoint. Collective impact affected 1.5M employees across targeted organizations. Sectors targeted included finance as primary focus, followed by government, healthcare, and technology. Executive targeting showed 39% of compromises were C-level executives including CEO, CFO, COO, and CTO.

Targeting Patterns

By organization type, targets include financial institutions such as banks and investment firms, insurance companies, real estate and property management, manufacturing firms, technology companies, government agencies, and healthcare organizations.

By position, targets include C-suite executives representing 39% of successful compromises, CFOs and finance officers, operations executives, IT directors, and HR leadership.

Attack methods include impersonation of popular business tools including SAP Concur, Adobe Sign, and DocuSign. Fake document signing requests are common lures. Travel and expense report lures target finance personnel. Leadership approval flows exploit organizational hierarchies. Business continuity and emergency notifications create urgency.

What Are the Limitations of EvilProxy?

Infrastructure Exposure

Customer-deployed Docker containers create detection surface for security monitoring. Hosting provider abuse reports can remove infrastructure quickly. SSH access logs can be traced to attacker infrastructure. Telegram channel communication creates OPSEC risk for operators.

Detection Signatures

Docker default ports and protocols are identifiable by security tools. Reverse proxy headers may leak infrastructure details. SSL/TLS certificates created for phishing domains are flagged by Certificate Transparency logs. Domain reputation systems quickly identify EvilProxy domains through behavioral analysis.

Service Dependency

Reliance on EvilProxy vendor for setup, support, and maintenance creates single point of failure. Dark web communication delays occur with Telegram-based support. No recourse exists if vendor disappears or is taken down. Financial loss results if infrastructure is seized by law enforcement.

Technical Constraints

Hardware security keys using FIDO2 cannot be relayed according to Hypr and Microsoft Security Blog. Passwordless authentication such as Windows Hello is immune to interception. Risk-based MFA can detect unusual login patterns. Behavioral MFA flags impossible travel and anomalous activity.

Browser and authentication hardening includes password managers that verify domain authenticity. Browser extensions warn of phishing domains. Endpoint Detection and Response detects post-compromise activity. Native browser protections such as Safe Browsing block known phishing.

Victim-Side Resistance

User awareness of AiTM attacks is improving across organizations. Out-of-band verification such as call-back to known numbers defeats phishing. Organization-specific authentication flows are harder to proxy accurately. Internal security teams detect unusual authentication patterns through monitoring.

How Can You Defend Against EvilProxy?

Authentication and Identity Protection

Deploy FIDO2 hardware security keys for executives that cannot be phished. Implement Windows Hello for Business using biometric or PIN authentication. Migrate to passwordless authentication eliminating credential theft. Use phishing-resistant FIDO2 for critical accounts.

Enforce mandatory MFA on all cloud services including Microsoft 365, Google, and Okta. Require hardware key MFA for executives. Disable SMS-based OTP due to relay vulnerability. Deploy risk-based MFA to detect anomalous patterns.

Configure short session timeouts of 1-4 hours for executives to limit cookie value. Require re-authentication for sensitive operations. Implement device binding to prevent session reuse. Use IP-based session restrictions within geographic boundaries.

Email and Phishing Prevention

Implement advanced email filtering with URL sandboxing. Deploy real-time link inspection and URL rewriting. Enforce sender authentication using DMARC with "reject" policy. Deploy brand impersonation detection and blocking.

Use browser isolation for link clicking. Implement Content Disarm and Reconstruction for attachments. Disable auto-redirect functionality. Enable user warning dialogs on suspicious domains.

Detection and Response

Implement dedicated monitoring for C-suite accounts. Deploy impossible travel detection using geographic analysis. Alert on new authenticator and device registration. Monitor unusual login times and locations.

Monitor Azure AD and Okta sign-in logs for anomalies. Alert on failed login attempts indicating attacker probing. Track MFA challenge responses for unusual patterns. Detect session cookie usage from unusual locations.

Deploy behavioral anomaly detection for email access patterns including forwarding and mass searches. Monitor cloud app permission changes. Watch for unusual file access especially of sensitive documents. Alert on Azure app registrations without approval.

Monitor dark web for EvilProxy campaigns targeting your organization. Track EvilProxy infrastructure including domains and Tor nodes. Subscribe to SSL certificate transparency logs. Monitor IP reputation feeds for EvilProxy servers.

Incident Response

Implement immediate credential reset for suspected compromises. Configure session revocation across all cloud services. Audit cloud activity during compromise window. Investigate email forwarding rules and app permissions.

Create timeline of login activity for forensics. Audit Azure and Google Workspace logs comprehensively. Check for unauthorized app registrations. Investigate lateral movement to other accounts.

Force password reset for all potentially affected accounts. Revoke all OAuth tokens and application consents. Remove suspicious device registrations. Reset backup authentication methods.

Organizational Measures

Implement heightened security controls for C-suite using FIDO2 and passwordless. Conduct dedicated security awareness training on AiTM attacks. Deploy out-of-band approval verification for sensitive transactions. Provide executive security briefings on EvilProxy and PhaaS threats.

Require callback verification for sensitive actions. Implement multi-stage approval for financial transactions. Deploy out-of-band authorization for high-value requests. Establish internal verification channels independent of email.

Deploy Cloud Access Security Broker for real-time monitoring. Implement conditional access policies with risk-based blocking. Prefer API-based authentication over web-based authentication. Enforce device compliance requirements.

Conduct training on AiTM attacks and reverse proxy risks. Emphasize padlock icons not guaranteeing safety. Establish out-of-band verification procedures. Run red team simulations with EvilProxy-like attacks.