What Is Reverse Proxy Phishing?

Reverse proxy phishing (also termed AiTM phishing or MITM phishing) is a sophisticated cyberattack in which threat actors deploy reverse proxy servers positioned between a user and a legitimate authentication service. The attacker's proxy mimics the legitimate website and relays the user's credentials and multi-factor authentication (MFA) responses to the real service in real time, capturing the resulting authenticated session cookies. This allows attackers to hijack sessions and bypass MFA entirely without needing to know the user's password or possess their MFA device. Reverse proxy phishing differs from traditional phishing solely by its use of real-time session relay and cookie capture to defeat MFA.

How does reverse proxy phishing work?

Reverse proxy phishing operates through sophisticated infrastructure that creates a transparent relay between victim and legitimate service, capturing authentication artifacts in real time.

Proxy infrastructure setup

The attacker deploys reverse proxy server using Phishing-as-a-Service (PhaaS) kits. Open-source options include Evilginx2 (free, hosted on GitHub). Commercial options include EvilProxy, Tycoon 2FA, NakedPages, Sneaky 2FA, and Storm-1167. The proxy is configured to mimic target service including Microsoft 365, Google Workspace, Okta, GitHub, Apple, and AWS.

Phishing campaign delivery

The attacker sends phishing emails with QR codes in early 2024, HTML attachments in mid-2024, SVG files in late 2024-2025 which are hardest to detect, or direct links to attacker-controlled proxy domain such as "office365-verify[.]com" instead of "office.com."

User authentication flow

The user clicks phishing link and arrives at attacker's proxy domain. The user enters username and password into proxy-hosted login form that appears legitimate and uses HTTPS/SSL. The proxy immediately forwards credentials to legitimate service such as real Microsoft 365 auth server. The legitimate service validates credentials and sends back MFA challenge. The user completes MFA including TOTP, biometric, or push notification—it doesn't matter. The proxy captures the MFA response and forwards it to legitimate service. The legitimate service validates MFA and sends back authenticated session cookie.

Session hijacking

The proxy captures authenticated session cookie, typically valid 8 to 24 hours.

Attacker account access

The attacker replays captured session cookie to authenticate as legitimate user with no password required because already authenticated and no MFA required because session cookie bypasses MFA. This provides full account access including email, files, and admin capabilities.

Post-compromise exploitation

Attackers exfiltrate data including email, documents, and trade secrets. They conduct Business Email Compromise (BEC) fraud. They deploy ransomware via compromised email. They engage in lateral movement into corporate network. They escalate privileges to administrative accounts.

Why it works

Standard MFA protects the password but not the session token. Reverse proxy phishing captures the session token after MFA is satisfied. Unlike traditional phishing, the proxy relays authentication in real time, allowing it to capture the MFA response before it expires because TOTP codes are valid only 30 seconds. If the proxy relays responses quickly and accurately, the user may not detect the interception. Session cookies are designed to be reusable, so replaying them appears as a legitimate authenticated user accessing the service.

Detection evasion techniques

The proxy includes IP and User-Agent filtering to deny access to security researchers, sandboxes, and known security vendors. The proxy uses TLS certificate reuse where attacker creates SSL certs matching legitimate domains to avoid detection by certificate monitoring. There is no webroot content because Evilginx-style proxies have no static content at the domain root, making them invisible to vulnerability scanners and web crawlers. Dynamic phishing lures mean attacker sends unique proxy URLs per campaign or victim, avoiding detection by threat intelligence feeds.

How does reverse proxy phishing differ from other attacks?

Reverse proxy phishing is a variant of adversary-in-the-middle (AiTM) phishing. The terms are often used interchangeably, but "reverse proxy phishing" emphasizes the reverse proxy infrastructure, while "AiTM phishing" is the broader category. Reverse proxy phishing always involves a proxy, while traditional AiTM may involve other interception methods according to Memcyco's 2025, Talos's 2025, and Barracuda's 2025 guidance.

Why does reverse proxy phishing matter?

Reverse proxy phishing has emerged as one of the most sophisticated and damaging phishing techniques, exploiting the gap between standard MFA and phishing-resistant MFA.

Prevalence and attack volume

Over 1 million phishing proxy attacks were detected in just January-February 2025 by Barracuda systems, targeting cloud services, finance, and enterprise portals according to Barracuda in 2025. One million attempted account takeovers used phishing proxies including EvilProxy, Tycoon 2FA, and Evilginx in early 2025 according to Proofpoint and multiple sources. A 146% rise in AiTM reverse proxy phishing occurred throughout 2024, with continued escalation in 2025 according to Lab539 in 2024. January 2025 proxy infrastructure spiked up 30% from July 2024, the busiest month of 2024, and 50% year-on-year increase from January 2024 according to Lab539 in 2025.

Dominant phishing kits (Q1 2025)

EvilProxy averaged approximately 280 active servers Jan 2024-Apr 2025 and is a commercial PhaaS platform with most sophisticated detection evasion. NakedPages averaged approximately 220 active servers Jan 2024-Apr 2025 and is a legacy platform still widely used. Evilginx is an open-source reverse proxy phishing kit that is free and remains highly prevalent with GitHub repository. Tycoon 2FA is a commercial PhaaS platform gaining adoption. Storm-1167 is an APT-linked reverse proxy phishing variant. Sneaky 2FA is a newer variant with advanced detection evasion according to Sekoia.io, Talos, GitHub, Proofpoint, and Okta Threat Intelligence in 2025.

Distribution method evolution

QR codes in early 2024 evolved to HTML attachments in mid-2024, which evolved to SVG files in late 2024-2025 that are hardest to detect. SVG files are script-embedded and difficult for email scanners to analyze. When clicked, they redirect to phishing proxy domains. Threat actors continue innovating distribution to bypass email security filters according to Sekoia.io's 2025 and Barracuda's 2025 guidance.

Target sectors and services

Cloud services include Microsoft 365, Google Workspace, AWS, and Azure. SaaS platforms include Okta, Slack, Salesforce, and ServiceNow. Financial services include banks, fintech platforms, and payment processors. Enterprise services include VPN gateways, corporate email, and admin portals. Identity providers include GitHub, Apple, and Google accounts according to Menlo Security, Okta, and multiple 2025 sources.

Business impact

Compromised accounts are used for Business Email Compromise (BEC) fraud, data exfiltration, and ransomware deployment. Average cost per breach involving account compromise is $4.88 million according to IBM Cost of a Data Breach Report 2024.

What are the limitations of reverse proxy phishing?

Phishing-resistant MFA completely defeats reverse proxy phishing

FIDO2 and WebAuthn cryptographic keys are bound to legitimate domain origin, so proxy cannot generate valid responses for fake domain, and authentication fails entirely. Windows Hello for Business uses origin-bound certificates impossible to bypass with proxy relay. Hardware security keys require cryptographic handshake with legitimate domain, so fake domain fails validation. FIDO2, Windows Hello, and PKI-based auth are immune to reverse proxy phishing, while TOTP, SMS, and push notifications are not according to NIST SP 800-63-4, Talos's 2025, and Canadian Cyber Centre's 2025 guidance.

Detection and forensic capabilities

Authentication log analysis can detect impossible travel where session cookie is used from multiple continents in short time window, new MFA device registration where attacker often adds a second MFA method for persistence, unusual email rules including forwarding rules, delegates, or BCC recipients created post-compromise, and suspicious activity timing where account is accessed at times the user never typically logs in.

Behavioral analytics monitor account access patterns, data exfiltration, unusual file downloads, and permission changes. Domain monitoring via certificate transparency logs reveals newly registered typosquatted domains, and TLS cert fingerprinting identifies fake certs. Email security analyzes phishing delivery mechanisms, detects SVG and HTML attachment payloads, and identifies proxy redirect patterns. Threat intelligence monitors for known proxy infrastructure IP addresses, C2 domains, hosting providers, and PhaaS indicators.

Attack constraints

Session token expiration means session cookies have finite lifetime, typically 8 to 24 hours, so attacker must act quickly or refresh tokens. Password rotation means if user changes password post-compromise, session tokens are often invalidated. Proxy infrastructure cost and complexity requires domain registration, SSL certificates, proxy hosting, and obfuscation with sophisticated operational security needed.

Proxy detection occurs because behavioral differences between proxy relay and legitimate service such as latency, response mismatches, and header anomalies can be detected. MFA re-challenge means if organization implements conditional access with frequent re-authentication such as every action, attacker's session may be invalidated. Sandbox evasion limitations occur because while Evilginx hides from static analysis, dynamic or behavioral malware analysis, behavioral detection, and telemetry-driven security can identify proxy activity.

How can organizations defend against reverse proxy phishing?

User and individual-level defenses

Enable phishing-resistant MFA by using FIDO2 security keys including YubiKey and Google Titan, Windows Hello for Business, or passkeys—NOT TOTP, SMS, or push notifications. Verify domain carefully during authentication by checking browser URL bar for exact domain match, not typos, punycode, or lookalikes, looking for HTTPS and valid SSL certificate, and being suspicious of authentication challenges on unfamiliar domains.

Scrutinize unexpected MFA prompts because if you receive unexpected MFA challenges or see a second authentication prompt in the same session, stop and do not approve, then contact IT immediately. Monitor account activity regularly by reviewing login history, active sessions, connected apps, and forwarding rules, and MFA devices. Avoid public Wi-Fi for authentication by using home or work network or VPN to reduce MITM exposure. Report phishing immediately by forwarding suspicious emails to security team and not clicking links. Update software and devices by keeping browser, OS, and security software current to patch credential-stealing malware.

Organization-level defenses

Deploy FIDO2/WebAuthn, Windows Hello, or hardware keys on all user accounts with no exceptions. Priority includes email, administrative access, and cloud or SaaS including Microsoft 365, Google Workspace, and Okta. Target 80% adoption within 6 months and 100% within 12 months. Ensure MFA is required for all authentication with no exemptions or fallback to weaker MFA according to Talos's 2025, Canadian Cyber Centre's 2025, and Microsoft's 2025 guidance.

Require MFA re-challenge for sensitive actions including email forwarding, rule creation, and admin access. Implement step-up authentication for geographic anomalies, impossible travel, and unusual device. Block logins from non-compliant devices or outside org IP ranges. Flag sessions and require re-authentication if suspicious activity detected according to Microsoft Entra Conditional Access, Okta, and Ping Identity guidance.

Monitor authentication logs and alert on impossible travel, MFA device registration, and session token reuse from different locations. Email security should use advanced analysis of HTML and SVG attachment payloads, detect redirect URLs, and block known proxy infrastructure. SIEM should monitor for session hijacking patterns, unusual account access behavior, bulk data exfiltration, and forwarding rule changes. Use UEBA (User and Entity Behavior Analytics) to detect anomalies in account access, data access, and account modifications with real-time alerting for compromised account indicators according to Talos, Sekoia.io, and Barracuda in 2025.

Use advanced email filtering with domain reputation, typosquat detection, and zero-trust verification. Sandbox HTML and SVG attachments because even "safe" file types can contain malicious redirects. Use link rewriting and URL inspection to detect proxy redirect chains. Enforce DMARC, SPF, and DKIM to prevent domain spoofing. Conduct user security awareness training on reverse proxy phishing, domain verification, and unexpected MFA prompts.

Monitor certificate transparency logs for typosquatted domains such as "microsoft-verify" and "office365-auth." Use domain reputation services to block newly registered or suspicious domains. Establish rapid takedown procedures with domain registrars and hosting providers. Monitor for known proxy hosting infrastructure including IP ranges and providers used by PhaaS platforms.

Enforce short session token lifetimes (8 hours max for sensitive services). Require re-authentication for sensitive actions including forwarding rules, user creation, permission changes, and data access. Monitor and invalidate stolen session cookies by integrating dark web credential monitoring. Implement absolute session timeout to force re-login after N hours. Log all session creation and invalidation events for forensics.

Document rapid credential rotation for compromised accounts, force invalidation of all active sessions post-compromise, audit account activity post-breach including email forwarding, delegates, and data access, notification to affected users and compliance requirements, and forensic logging to determine scope and timeline of compromise according to Arkose Labs's 2025, Invictus IR, and Memcyco's 2025 guidance.

Technical solutions and vendors (2025)

Phishing-resistant MFA solutions include Yubico (FIDO2 keys), Duo, Microsoft Authenticator, Google Account (passkeys), 1Password, and Okta Verify. IAM and conditional access platforms include Microsoft Entra ID, Okta, Ping Identity, Auth0, and JumpCloud. Email security solutions include Proofpoint, Barracuda Networks, Mimecast, Microsoft Defender for Office 365, and Cisco Talos. SIEM and detection platforms include Splunk, Elastic Security, CrowdStrike Falcon, Microsoft Sentinel, and Datadog. Behavioral analytics solutions include Darktrace, Exabeam, Splunk, and CrowdStrike. Domain and proxy monitoring includes Certificate Transparency logs, passive DNS, and domain reputation services. Proxy detection includes Memcyco (specialized AiTM/reverse proxy detection), Arkose Labs, and WAF plus behavioral analysis according to Talos's 2025, Menlo Security's 2025, and Okta's 2025 guidance.