Pattern Drive Private Limited

New EvilProxy Phishing Service

EvilProxy Phishing: How Are Cybercriminals Proven To Bypass 2FA & MFA?

Updated on: 14/02/2023

1031 Views | 0 Comments

In recent months, EvilProxy Phishing or Evil Proxy has been the talk of the town. A huge number of articles have been published about the PhaaS tool or phishing-as-a-Service tool. The reason? Well through this service, the hackers can easily bypass the 2FA or Two-factor Authentication and Multi-Factor Authentication (MFA). This is indeed a serious issue. In this article, we will discuss everything about Evil Proxy phishing and focus on how they are being carried out. Additionally, keep an eye on the end to receive tips to be safe from such attacks. 

Essential Points To Note:

  • EvilProxy Phishing attack can be termed a Man-in-the-Middle (MiTM) attack.
  • The phishing technique used in this Evil Proxy MFA bypass is very clever and outsmarts both the host and the user without their understanding. 
  • Data extraction or data breaches become easier with this technique and noobs are mostly using this as they are not much familiar with the process of MiTM attacks or codings.
  • Companies and individuals need to adopt some security measures to keep away such cyber attacks at bay.


What Is EvilProxy Or Evil Proxy Phishing Service?

Evil Proxy is a service-based technique that permits anyone to access the web-based platform to launch and as well as manage Man-in-the-Middle (MiTM) attacks. This is a great tool for the ones who are not much aware of how to set the reverse proxy to steal online accounts that are protected otherwise. 

So what is a reverse proxy? Well, these are servers that sit in between the targeted victim and the legit authentication endpoint, like a login form of a company. When the victim connects to the phishing page, the reverse proxy displays the legit login form, forwards the request, and then returns the responses from the website of the company. 

So basically, the platform generates phishing links that are just cloned pages designed to compromise the user accounts associated with Facebook, GitHub, Apple iCloud, GoDaddy, Instagram, Dropbox, Google, NPM, PyPI, Microsoft, Twitter, Yahoo, Yandex and more. Thus, now you know why reverse proxy is used.

EvilProxy Phishing Service: The Complete Procedure / Modus Operandi

As the name states, the EvilProxy is used to phish users or trick the users to retrieve their log in ids and passwords by making them believe that they are actually entering their details on a legit website. Suppose person A wants to visit Google and Person B displays a fake Google login page to person A. The latter will identify the login page to be from Google and will enter the login details believing in the way the user interface looks. This is when person A is tricked or phished by Person B.

Usually, the 2FA or MFA works by using a mobile app to generate an authentication code or One Time Password (OTP). This code needs to be entered within a specific time limit to be able to authenticate the login. For the latest Google login, a number is displayed on the notification shade of the registered mobile and the other device where you are attempting to log in. Once the same number is selected, the login is authenticated and the number is invalidated. 

So, the EvilProxy simply acts like a reflector or a proxy that sits in the middle and reflects all of a user’s actions to Google as if that proxy itself is the user.

Step 1: The User Puts Their Login Credentials Into The Phishing Site

In this step, the user is sent to a different website that looks like Google. For example, the user visits instead of Mostly, people do not cross-check the website URL. In this case, the URL of the original website does have a mismatch with the phishing Google website which the user fails to detect and enters their login credential.

Step 2: The Phishing Site Proxies Requests The Original Website & Asks For Authentication Codes

What the Phishing website usually does not do is that they do not directly communicate with the original host. This is not the case with EvilProxy. After the phishing website receives the user’s credentials, it sends the username and password request to Google or the original website. By doing this, the phishing website authenticates itself to be the user. Since Google has multi-factor authentication or 2FA turned on, it will not like the fact that a new device is trying to sign in. Thus, it will ask for an MFA or 2FA code from the phishing website to authenticate the login. The phishing website then shows the same request to the user.

Step 3: The User Puts In Additional Authentication 

The user enters the multi-factor or two-factor authentication credentials. This could be an OTP or Google Authentication Code. This authentication is submitted to the phishing website and then the phishing website in return submits to the original website which is Google, in this case acting as the user. Google then returns a set of cookies. This is where things get a bit interesting.

Step 4: The Original Website Returns A Set Of Session Cookies

Cookies are the ultimate key. The authentication is mainly to grab a set of cookies. The browser of the user when requests or sends a call to an API endpoint of read that cookie and says that the user is authenticated and is validated for the next couple of minutes to a day.

Thus, the phishing website, what it did was, acted as a user, and in the final step, it stole the cookies that were responded to by Google. These cookies can be exploited or sold which is obviously a secondary thing. 

How To Defend Against The MiTM Attacks / EvilProxy Attacks?

It is a fact that the MiTM attacks are quite simple to set up and they are highly effective. However, there are still some mitigation ways that you can implement to help identify these attacks and the new evil proxy phishing service. All of the following principles can be implemented by companies that are looking forward to defending against the EvilProxy Phishing attacks. 

1. Having Conditional Access Policies

Conditional access policies are great at thwarting Man-in-the-Middle Attacks. The evil server is the one that requests authentication. Thus, locking down access to services and systems from trustworthy devices, locations, or ranges. Conditional access rules should only permit organization-controlled phones and laptops to access the resources.

2. Alternative MFA

This should be kept in mind that not all multi-factor authentication is created equal. The basic MFA as present within the platforms such as Microsoft does not offer any kind of protection. On the contrary, FIDO2 or physical token-compliant devices do. These devices offer a much more robust approach to MFA authentication having additional verification that restricts such forms of attacks.

3. Data Center Ranges

The default configurations for these tools are mostly just used on the cloud servers. These services like AWS, Azure, Linode, Digital Ocean, or other similar providers offer an attacker or evil operator great flexibility in deploying infrastructure. Nonetheless, the IP ranges for these service providers are reputed and login or authentication events from these ranges are rare, especially within the normal user areas. Even if there are such incidents, the alerts stating an attack must be closely monitored and steps need to be taken accordingly.


EvilProxy phishing is a new concept that is capable of bypassing two-factor authentication (2-FA) and multi-factor authentication (MFA) through the Evil Proxy tool. The malicious actors do this pretty smartly where they constantly connect to the host and work as a middleman to obtain the required details. Thus, it is a serious issue and calls for individuals and companies to be vigilant enough from such phishing activities. They are also required to take the necessary steps to protect themselves and the companies from damages caused by these evil proxy attacks.



Leave a Comment

By Submitting you agree to our Terms of Service and Privacy Policy.