Reverse proxy phishing (AiTM)

How it works

Instead of a static fake page, the attacker runs a proxy that forwards everything the victim enters to the genuine site and passes the real responses back. The victim completes a normal login, including the MFA step, and the proxy captures the resulting session cookie. With that cookie the attacker is logged in as the victim, MFA already satisfied.

Toolkits like Evilginx made this technique widely available.

How it relates to brand impersonation

Reverse proxy phishing is the answer attackers found to MFA, and it still depends on a lookalike domain to host the proxy. That domain is detectable and removable.

How nebty helps

nebty detects the lookalike domains used to host AiTM proxies impersonating your login and takes them down on demand, with blacklisting in parallel.

What stops an AiTM attack

Adversary-in-the-middle phishing is the answer attackers found to multi-factor authentication, so the usual advice to turn on MFA does not fully cover it. The proxy relays the whole login in real time and steals the session cookie, so any MFA method that still produces a shareable code or push approval can be defeated. Two things genuinely raise the bar. Phishing-resistant authentication, passkeys and hardware security keys, binds the login to the real domain and refuses to complete on the proxy, which breaks the attack outright. And shortening session lifetimes plus binding sessions to a device limits what a stolen cookie is worth. None of that removes the proxy, though, which still lives on a lookalike domain. Detecting that domain and taking it down, with blacklisting in parallel, closes the storefront the attack runs from.