Threat Watch

New EvilProxy Service Lets All Threat Groups Use Advanced Phishing Tactics

A new Phishing-as-a-Service (PaaS) platform that uses reverse proxy technology has emerged that promises to steal authentication tokens to bypass multi-factor authentication (MFA). The service currently supports stealing tokens for services on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI.

The reverse proxy that EvilProxy utilizes sits between the targeted victim and the legitimate authentication endpoint of the targeted service. When the victim accesses the phishing page, the reverse proxy displays the legitimate login form of the service. When the user enters their credentials into it, it forwards the request to the actual platform’s server for authentication, which in turn returns the platform’s MFA request. The user receives the MFA request and completes it, which is then forwarded by the reverse proxy to the platform’s server. Once MFA has been completed, the platform’s server returns the session cookie containing the authentication token back to the user. Since the reverse proxy is intercepting and forwarding all requests, the malicious proxy also receives the session cookie which allows the threat actor to steal it and use it to log into the site as the user. This method bypasses MFA as the threat actor can steal an already generated and active authentication token for the platform in question.

While reverse proxies used to bypass MFA are not new, EvilProxy’s service has been created in such a way to be far simpler to use than many of the other phishing frameworks that support this method. EvilProxy offers an easy-to-use GUI and detailed instructional videos and tutorials which allows more low-skill threat actors to steal authentication tokens for well-protected accounts.


If possible, it is recommended to implement client-side TLS fingerprinting within a network. TLS fingerprinting can help identify and filter out potential man-in-the-middle attacks, thus helping to prevent EvilProxy phishing attempts from succeeding. Organizations should also implement user-based training to help spot and remove phishing emails. While EvilProxy uses a reverse proxy to host legitimate content on their phishing page, the page itself is still hosted on an abnormal domain that is not related to the service in question. By training users to identify potentially malicious URLs, an organization can help prevent users from accessing the page and providing credentials to the threat actors. Finally, some of the domains used by the EvilProxy infrastructure have been uncovered, so these domains should be investigated and blocked to prevent users from being able to access them. The domains are:

• msdnmail[.]net
• top-cyber[.]club
• rproxy[.]io
• login-live[.]rproxy[.]io