BP-028 Token Replay via Reverse-Proxy Phishing Frameworks
A critical breach pattern where attackers weaponize reverse-proxy frameworks to intercept live authentication sessions in real time, bypassing MFA and Conditional Access controls without ever touching victim passwords.
What This Breach Pattern Is
This breach pattern exploits reverse-proxy phishing frameworks to steal live authentication tokens, session cookies, and MFA approvals in real time. Attackers position themselves as invisible intermediaries between victims and legitimate identity providers, capturing every authentication element as it flows through the proxy.
The victim completes normal authentication—entering credentials, approving MFA prompts—completely unaware that an attacker is simultaneously harvesting their session. This enables immediate, full session hijack with zero technical indicators visible to the user.
Session Interception
Live capture of tokens and cookies
MFA Bypass
Real-time relay defeats all MFA types
Common Attacker Toolkits
These frameworks automate the interception, relay, and replay process, making token theft accessible to operators with minimal technical expertise. Each toolkit provides turnkey phishing infrastructure with built-in token extraction capabilities.
Evilginx
Industry-standard reverse proxy with extensive IdP support and automated token extraction
Modlishka
Flexible framework with custom rule engines for bypassing anti-phishing controls
Muraena
Golang-based proxy optimized for cloud identity provider interception
EvilProxy
Commercial phishing-as-a-service platform with subscription-based access
Greatness
M365-focused toolkit with sophisticated attachment-based delivery mechanisms
NakedPages
Lightweight framework designed for rapid deployment and evasion
How The Attack Works
Initial Compromise
Victim receives phishing email with link to attacker-controlled reverse proxy
Traffic Relay
Proxy intercepts and forwards authentication requests to legitimate IdP in real time
Token Extraction
Framework captures tokens, cookies, and MFA approvals as victim authenticates normally
Session Replay
Attacker replays stolen session to access resources as the authenticated victim
The entire compromise occurs transparently—victims see legitimate login pages, correct URLs, and valid SSL certificates. Detection requires analysis of subtle behavioral anomalies in token usage patterns and authentication flows.
Attacker Objectives
Immediate Goals
Bypass all MFA methods (push, SMS, TOTP, hardware tokens)
Impersonate users with zero credential knowledge
Obtain both access and refresh tokens for persistence
Inherit victim's Conditional Access posture
Post-Compromise Actions
Access SaaS and cloud portals with full user privileges
Escalate privileges through stolen admin sessions
Spread laterally across integrated identity systems
Establish persistence via token refresh mechanisms
This technique represents one of the most widely deployed methods in high-impact identity breaches, favored for its reliability and effectiveness against modern security controls.
Long-lived session tokens remain valid and reusable for extended periods after theft, providing attackers persistent access without re-authentication requirements.
MC-132: Weak Device or Browser Hardening
Unpatched browsers and unmanaged endpoints lack critical security controls that prevent token extraction and replay attacks.
MC-201: High-Risk OAuth Permissions
Stolen tokens expose overly broad OAuth scopes, granting attackers excessive permissions across integrated applications and services.
MC-233: Legacy Authentication Allowance
Fallback authentication protocols provide alternate escalation paths when modern security controls detect anomalous behavior.