Reverse-Proxy Phishing
A phishing technique that uses a server acting as a transparent proxy between victim and target site, enabling real-time credential and token interception.
Also known as: AiTM phishing, proxy phishing, Evilginx phishing
Last reviewed: 1 June 2026
Reverse-proxy phishing is the technical infrastructure underpinning adversary-in-the-middle (AiTM) attacks. The attacker configures a server to act as an intermediary: all HTTP/S requests from the phishing victim are forwarded to the legitimate target site, and all responses are relayed back, with the attacker injecting modifications or logging captured data along the way.
From the victim's perspective the site looks and behaves exactly like the real one — it serves genuine content, has a valid TLS certificate (for the proxy domain), and accepts the same credentials. This makes reverse-proxy phishing pages nearly indistinguishable from the legitimate service, defeating visual phishing cues that users are trained to spot.
Tools like Evilginx, Modlishka, and Muraena make setting up reverse-proxy phishing infrastructure accessible to moderately skilled attackers. The attacker logs all credentials and, most valuably, session cookies issued post-authentication. Phishing-resistant authentication (FIDO2/hardware keys) is the most reliable defence because the authentication credential is bound to the legitimate domain, causing it to fail against a proxy domain.
Examples
- An attacker deploys Evilginx on a lookalike domain; victims who authenticate through it complete a real MFA challenge but have their session cookies silently captured.