AITM Phishing — Evilginx / Modlishka
Reverse-proxy phishing kit intercepts the entire auth flow including MFA challenge; harvests the post-auth session cookie.
§ Where this technique fits
PH-AITM-EVILGINX is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 9 approved dossiers in the registry, typically at step 2.8 on average.
§ Dossiers chaining this technique
- step 1 / 6
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- step 1 / 6
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- step 1 / 6
Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
- step 1 / 6
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- step 1 / 7
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
- step 4 / 6
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- step 5 / 6
Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
- step 5 / 6
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
- step 6 / 6
Header smuggling → gateway sees vendor, mailbox sees attacker
Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.
§ What commonly comes next
- 01Steal Web Session Cookieseen 3×T1539 · Credential Access
- 02Phishingseen 2×T1566 · Initial Access
- 03Cloudflare Worker / Edge Function Compromiseseen 1×CDN-WORKER-COMPROMISE · Initial Access
- 04Exchange Web Services (EWS) Exfilseen 1×M365-EWS-EXFIL · Collection
- 05Valid Accountsseen 1×T1078 · Initial Access