In the ongoing battle between enterprises and cybercriminals, adversary-in-the-middle (AiTM) attacks using reverse proxy infrastructure have emerged as a powerful mechanism for bypassing multi-factor authentication (MFA).
Recent analyses reveal that attackers increasingly leverage these sophisticated tactics, intercepting both user credentials and authentication cookies-thereby neutralizing the additional security that MFA is designed to provide.
Evolution of Phishing Attacks: The MFA Bypass Problem
Phishing has long been the bread and butter of cybercriminal operations, with threat actors traditionally relying on deceptive websites to harvest usernames and passwords.
Over time, defenders have responded with measures like anti-spam filters and end-user training, as well as more robust authentication approaches such as MFA.
However, the rise of AiTM tactics has shifted the landscape. Attackers now position a reverse proxy between the victim and legitimate web services.
When users attempt to log in through these proxies, their traffic is transparently relayed to the real destination, meaning the phishing site appears perfectly authentic-save for the subtle difference in its URL.
This enables attackers to not only harvest traditional credentials but also intercept the session’s authentication cookie once the victim completes the MFA challenge.
The stolen cookie grants immediate access to the target account, subverting the MFA mechanism entirely.
Phishing-as-a-Service: Lowering the Bar for Attackers
The proliferation of Phishing-as-a-Service (PhaaS) toolkits-Tycoon 2FA, Evilproxy, Rockstar 2FA, and others-has radically simplified the process of establishing these large-scale AiTM campaigns.
These platforms offer ready-made templates for high-value targets and introduce innovations such as URL and IP filtering, JavaScript injection, and User-Agent targeting.
Many toolkits dynamically obfuscate malicious scripts to evade traditional detection mechanisms.
Notably, publicly available tools like Evilginx provide open-source, customizable reverse proxy frameworks that have been adopted both by legitimate penetration testers and malicious actors.
Attackers often deploy these reverse proxies on newly registered domains with fresh TLS certificates, and they may exploit subtle technical fingerprints-such as unique URL paths or certificate issuers-to avoid security scrutiny.
Post-compromise, cybercriminals frequently move to establish persistence by registering additional MFA devices on breached accounts.
The Fast IDentity Online (FIDO) Alliance and W3C have developed the Web Authentication API (WebAuthn), a passwordless authentication method that leverages public key cryptography.
With WebAuthn, the authentication process eliminates password transmission entirely; instead, private keys remain secured on the user’s device while only the public key resides on the server.
This architecture not only renders server-side credential databases nearly useless for attackers but also binds authentication tokens to specific website origins, making AiTM attacks via reverse proxies largely ineffective.
Despite these considerable advantages, adoption remains sluggish.
According to recent telemetry from Cisco Duo, WebAuthn-based authentications still represent a small fraction of all MFA transactions-a trend attributed to organizational inertia and existing investments in older MFA solutions.
With rapid advancements in phishing toolkits and the widespread availability of AiTM reverse proxies, organizations must urgently reassess their MFA strategies.
Experts warn that conventional MFA-such as one-time passwords or push notifications-may no longer offer sufficient protection against modern, proxy-based phishing threats.
Transitioning to origin-bound, cryptography-backed solutions like WebAuthn is increasingly being viewed as the next step in robust identity security.
Until then, cyber defenders should closely audit authentication logs, monitor for anomalous cookie usage, and remain vigilant against a rapidly evolving threat landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 attacks using reverse proxy infrastructure.){kind=link}