EvilProxy
EvilProxy is a phishing-as-a-service/adversary-in-the-middle (AiTM) phishing kit used to capture credentials and valid session cookies, enabling session hijacking and bypass of multi-factor authentication. The content describes it as operating as a proxy between victims and enterprise login portals, with a graphical interface that helps criminals customize and automate phishing campaigns, and notes it emerged in mid-2022. It is repeatedly referenced as one of the most prevalent enterprise-targeted phishing kits, alongside Tycoon 2FA and Sneaky2FA, and as part of the broader shift toward identity-focused attacks against Microsoft 365 and similar cloud services.
Observed behavior includes redirecting victims from legitimate-looking OAuth or authentication flows to EvilProxy-powered phishing pages, intercepting passwords and session cookies, and using the OAuth state parameter in some campaigns to prefill victim email addresses. The content also states EvilProxy can be used in man-in-the-middle proxying to evade traditional session-based detection. Hosting and delivery patterns mentioned include use of Google Sites (sites[.]google[.]com) to host malicious pages, and use in campaigns abusing legitimate OAuth redirection behavior to bypass email and browser phishing protections.
Threat activity in the content links EvilProxy to financially motivated intrusion chains and phishing campaigns. Microsoft reported Storm-1811 used malicious links redirecting users to EvilProxy pages during Quick Assist and Teams-based social engineering operations that led to credential theft and follow-on deployment of tooling such as Qakbot, Cobalt Strike, ScreenConnect, NetSupport Manager, OpenSSH tunneling, SystemBC, and in some cases Black Basta ransomware. EvilProxy is also listed among tools abused by the Black Basta group. Additional reporting cited in the content says EvilProxy activity increased after disruption of Tycoon 2FA, and that phishing-as-a-service offerings such as EvilProxy and NakedPages lowered the technical barrier for AiTM phishing. A separate 2025-2026 campaign described in the content used the EvilProxy phishkit in supply-chain thread-hijacking attacks, with Cloudflare Turnstile CAPTCHA-based anti-bot steps, credential capture, and session token theft, primarily targeting Middle Eastern organizations, with likely victimology in finance and energy sectors.
High-confidence indicators and infrastructure explicitly mentioned for EvilProxy in the content include hosting on sites[.]google[.]com and related example domains/IOCs mphdvh[.]icu, kamitore[.]com, aircosspascual[.]com, and Lustefea[.]my[.]id. Additional campaign-specific indicators associated with EvilProxy-enabled phishing in the supplied content include URI pattern POST ^(/bot/), domain pattern ^loginmicrosoft*, and domains himsanam[.]com, bctcontractors[.]com, studiofitout[.]ro, st-fest[.]org, komarautikat[.]hu, eks-esch[.]de, avtoritet-car[.]com, and karaiskou[.]edu[.]gr.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Storm-1811 also provides the target user with malicious links that redirect the user to an EvilProxy phishing site to input credentials. EvilProxy is an adversary-in-the-middle (AiTM) phishing kit used to capture passwords, hijack a user’s sign-in session, and skip the authentication process.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
One clear trend is the abuse of cloud infrastructure. Phishing incidents on Cloudflare Pages domains nearly tripled from 460 in 2023 to more than 1,370 in 2024... Other widely trusted services, including Azure Blob Storage, Google Firebase, AWS CloudFront, and Amazon S3, have also hosted phishing assets.
Initial Access
3 techniques
Initial Access
Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials... EvilProxy phishing site to input credentials.
Security experts have issued a warning about the continued risk of Tycoon 2FA attacks... Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.
"Several threat actors distributed phishing campaigns containing OAuth redirect URLs... The emails used e-signature requests, social security, financial, and political themes... Most URLs were embedded directly in the email body, but some actors placed the URL... inside a PDF attachment"
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
4 techniques
Credential Access
"At this stage, the attack resembles a conventional phishing attempt... sent to phishing frameworks such as EvilProxy... designed to intercept credentials and session cookies."
On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password.
Collection
3 techniques
Collection
"At this stage, the attack resembles a conventional phishing attempt... sent to phishing frameworks such as EvilProxy... designed to intercept credentials and session cookies."
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing platform/kit referenced as one of the established services seeing increased campaign activity following the Tycoon 2FA disruption.
An adversary-in-the-middle phishing framework used after OAuth-based redirection to capture user credentials and session cookies.
An attacker-in-the-middle phishing framework used to proxy authentication flows and capture session cookies, enabling MFA bypass.
A phishing-as-a-service platform used to proxy authentication flows and steal user credentials and session cookies (often enabling session hijacking/MFA bypass).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.