A growing number of phishing campaigns are now using reverse proxy tools to capture login tokens from cloud identity platforms.
According to a new report from Cyber Security News, threat groups are using Evilginx in targeted phishing campaigns that imitate corporate single sign-on pages with high accuracy. The tool sits between the victim and the real identity provider, forwarding every element of the genuine login page while quietly collecting credentials and active session tokens. Recent investigations found that these campaigns directed users to lookalike domains with valid certificates, where the victim completed the usual login steps before the attacker harvested the session cookie.
Evilginx functions as an adversary in the middle platform that recreates a full login experience by proxying the real page. Because it forwards branding, scripts, button flows, and dynamic prompts from the identity provider, users see no visual indication that anything is abnormal. Once the victim enters their username, password, and multi-factor code, the session token is captured at the proxy layer. This allows attackers to establish a fully authenticated session without relying on the stolen password again. Investigators have observed this technique applied to email platforms, collaboration suites, and university identity systems, with attackers using stolen tokens to escalate access and move laterally.
Researchers noted that the strength of the method comes from its accuracy in reproducing legitimate login experiences. Analysts reported that attackers used domains crafted to mirror enterprise SSO URLs and that the reverse proxy forwarded traffic in real time to avoid breaking any part of the login sequence. The reports also described the use of registered certificates, which made browser trust indicators appear normal to victims. Security teams reported that once attackers obtain a valid session token, they can reset MFA settings, access downstream cloud applications, and maintain persistence without triggering common detections.
According to GBHackers, the growing use of Evilginx shows that strong authentication on its own is no longer enough to block modern credential-theft techniques. As the report noted, “The Evilginx threat demonstrates that MFA, while substantially improving security, remains incomplete without comprehensive multi-layered defenses and user vigilance.” The tool’s ability to capture tokens after a legitimate MFA challenge proves why organizations are being pushed toward phishing-resistant authentication, behavioural monitoring, and deeper inspection of identity flows rather than relying solely on password-plus-MFA workflows.
Session tokens are captured after the victim completes MFA, which allows an attacker to reuse the token without repeating the authentication steps.
The proxy forwards the genuine content from the real provider, so the login page appears identical and loads the same scripts and prompts.
Yes. Organizations can invalidate active tokens by forcing re-authentication, resetting sessions, or applying additional identity checks.
Higher education, technology companies, and organisations with centralised cloud identity platforms have reported frequent activity.
Use phishing-resistant authentication where possible, review access policies, check logs for token replay patterns, and monitor suspicious sign-in activity.