What is Phishing?

You've got strong passwords and 2FA enabled - you're safe, right? Wrong. Modern phishing attacks can steal your credentials and session cookies in real-time, bypassing every security measure you have. Let's talk about how these attacks work and how to spot them.

Build a Secure PC
Legal Notice - Educational Purpose Only

We do not endorse the use of Evilginx, Astaroth, or any similar phishing tools. The information on this page is provided strictly for educational purposes to help the public understand modern phishing threats and protect themselves. Using these tools to conduct unauthorized access to computer systems is illegal and punishable under federal law (Computer Fraud and Abuse Act). This content is designed to inform and educate about cybersecurity risks, not to encourage malicious activity.

What is Phishing?

Phishing is when attackers trick you into giving up your login credentials by pretending to be a legitimate website or service. The classic version was easy to spot - obviously fake emails with misspelled URLs like "paypa1.com" or "g00gle.com". But in 2025, phishing has evolved into something far more dangerous.

The Scary Truth About Modern Phishing

Modern phishing attacks can bypass everything: your strong password, your 2FA codes, your SMS authentication, your authenticator app, even your hardware security keys. They do this by acting as an invisible man-in-the-middle between you and the real website.

What this means: Even if you're careful, verify the URL, and enter correct credentials on what looks like the real website - attackers can still steal your account. The phishing site is actually showing you the real website while intercepting everything you type.

How Traditional Phishing Worked (2000-2020)

The old-school phishing playbook was simple:

Classic Phishing Flow
  1. Send Fake Email: "Your PayPal account has been suspended! Click here to verify."
  2. Clone Website: Create a fake login page that looks like PayPal (hosted on paypa1-secure.com)
  3. Capture Credentials: When you enter username/password, they save it to a database
  4. Show Error: "Invalid password, try again" - then redirect you to the real site
  5. Attacker Wins: They now have your username and password
Why Traditional Phishing Became Less Effective
  • Email Filters: Gmail, Outlook, and others got good at detecting phishing
  • Browser Warnings: Chrome/Firefox/Edge flag suspicious sites
  • User Education: People learned to check URLs and verify sender addresses
  • Two-Factor Authentication (2FA): Even with password, attackers couldn't login without the 2FA code

So attackers evolved. They built something far more sophisticated.

Modern Phishing: Man-in-the-Middle Reverse Proxy Attacks

Enter tools like Evilginx and its more advanced cousin Astaroth. These aren't simple fake login pages anymore - they're sophisticated reverse proxy servers that sit invisibly between you and the real website, intercepting everything in real-time.

How Evilginx & Astaroth Work

Here's the terrifying part: You're actually interacting with the real website, but through an invisible middleman who's recording everything.

Step-by-Step Attack Flow:
1. Access Website

You receive an email: "Urgent: Your Microsoft account needs verification" with a link to microsoft-security-check.com. You click it.

What's really happening: This domain is actually a GoLang reverse proxy server hosted on Ubuntu. When you visit it, the proxy opens login.microsoft.com in the background and displays it to you - pixel-perfect, SSL certificate and all (via Let's Encrypt).

2. Traffic Interception

Every request you make - loading pages, entering username, typing password, completing 2FA - is forwarded in real-time to the actual login.microsoft.com. The proxy intercepts, records, and passes it through.

3. Identical Experience

Since the proxy is showing you the real Microsoft login page (just through their server), everything looks and works exactly as expected. The URL might even show a green padlock (HTTPS). You won't notice any difference because you're literally looking at Microsoft's real website - just through an invisible window.

4. Response Relay

Microsoft processes your login normally. From Microsoft's perspective, they just see a normal Chrome browser trying to login. They send back the 2FA prompt. You enter your 2FA code. Microsoft validates it. You're logged in successfully.

5. Attacker Captures Everything

Here's what the attacker now has:

  • Your Username & Password: Captured in plaintext as you typed it
  • Your 2FA Code: Intercepted and recorded (now useless, but they don't need it)
  • Session Cookies: The most valuable prize - these authenticate you as logged-in
  • Access Tokens: Authorization tokens that let them act as you

What Makes Astaroth Even More Dangerous

Astaroth is a modified version of the open-source Evilginx framework with enhanced capabilities designed to bypass modern security protections. Security agencies worldwide have issued warnings about this sophisticated phishing kit, including Singapore's Cyber Security Agency (CSA Alert AL-2025-021) and detailed analysis from cybersecurity researchers.

Security Bypass Capabilities

Astaroth can bypass all major security systems:

  • reCAPTCHA: Passes through Google's bot detection because it's showing the real website
  • BotGuard: Google's advanced bot protection - bypassed via real browser relay
  • Cloudflare Protection: DDoS protection and bot management - bypassed because traffic looks legitimate
  • hCaptcha: Privacy-focused CAPTCHA alternative - still bypassable via proxy
  • Akamai Bot Manager: Enterprise bot detection - defeated by real user interaction relay
  • GeeTest: Behavior-based CAPTCHA - bypassed because real human is solving it
Why These Security Systems Fail

All these security systems are designed to detect bots and automated attacks. But with reverse proxy phishing, there is no bot - it's a real human (you) interacting with the real website. The security systems see legitimate traffic and let it through. The attacker is just silently watching and recording.

Post-Login Actions: What Attackers Can Do

Once the proxy detects you're logged in (usually by monitoring for session cookies), the attacker can:

Immediate Actions
  • Capture session cookies and tokens
  • Change your email address
  • Change your password
  • Add their own 2FA device
  • Disable your 2FA methods
  • Lock you out completely
Advanced Actions
  • Send messages to your contacts
  • Post content on your behalf
  • Access your files and emails
  • Make purchases with saved cards
  • Transfer money from accounts
  • Steal cryptocurrency wallets
Cookie Theft is King

Most attackers focus on capturing session cookies because they're the easiest to use and most effective. With your cookies, they can import them into their browser and instantly become "you" - fully logged in, all 2FA already completed, no additional verification needed. They can access your account from anywhere in the world without knowing your password or having your 2FA device.

How to Protect Yourself

If reverse proxy phishing bypasses 2FA, how do you stay safe? The answer is vigilance and multiple layers of defense:

Phishing Defense Strategies
1. Always Verify the URL
  • Check the full domain: login.microsoft.com is real, microsoft-login.com is fake
  • Look for subtle misspellings: micros0ft.com, microsоft.com (Cyrillic 'о')
  • Bookmark important sites: Always access banking/email from bookmarks, not email links
  • Use browser password managers: They only autofill on the correct domain
2. Never Click Email Links for Sensitive Accounts
  • If you get an "urgent security alert" email, don't click the link
  • Instead, manually type the website URL or use your bookmark
  • Check your account dashboard for actual alerts
  • Real security teams never send urgent login links via email
3. Use Hardware Security Keys (FIDO2/WebAuthn)
  • Yubikey, Google Titan, or similar physical keys
  • These verify the domain cryptographically - they won't work on fake sites
  • Even if attacker proxies everything, the key knows it's not the real domain
  • This is the only 2FA method that defeats reverse proxy phishing
4. Enable Login Notifications
  • Get alerts for new device logins
  • Check "active sessions" regularly
  • Revoke suspicious sessions immediately
  • Monitor for unauthorized email/password changes
5. Use Passkeys When Available
  • Passkeys (Apple, Google, Microsoft) use device-bound cryptographic keys
  • Impossible to phish because there's no password to steal
  • Domain verification is built-in - won't work on phishing sites
  • The future of authentication - adopt them when offered
The Reality Check

Even technical security professionals fall for sophisticated phishing attacks. These reverse proxy techniques are designed to be undetectable. The website looks real because it is real. The URL might be very convincing. The SSL certificate shows a green lock.

Your best defense: Healthy skepticism. If you receive any unexpected email asking you to login, pause and verify. It takes 30 seconds to manually visit the real website instead of clicking the link - those 30 seconds could save your entire digital life.

Related Security Resources

Password Managers

Password managers only autofill on legitimate domains, helping prevent phishing.

Learn More
2FA Authentication

Learn about hardware keys (FIDO2) that prevent reverse proxy attacks.

Learn More
Vishing Attacks

Phone-based social engineering that tricks you into giving access.

Learn More
Quick Reference
Red Flags for Phishing
  • Urgent security alerts via email
  • Slightly misspelled domain names
  • Requests to "verify your account"
  • Generic greetings ("Dear customer")
  • Threats of account suspension
Safe Login Practices
  1. Never click links in emails for sensitive accounts
  2. Always manually type URLs or use bookmarks
  3. Verify the full domain name carefully
  4. Use password manager autofill (domain verification)
  5. Enable hardware security keys when possible
Tools That Help
  • Hardware Keys: Yubikey, Google Titan, Thetis
  • Password Managers: Bitwarden, 1Password, KeePassXC
  • Passkeys: Apple, Google, Microsoft built-in
  • Browser Extensions: uBlock Origin, Privacy Badger
If You've Been Phished
  1. Change password immediately (from different device)
  2. Revoke all active sessions
  3. Remove unknown 2FA devices
  4. Check recent account activity
  5. Enable all available security features
  6. Report to the service provider
Official Resources
Report Phishing