A phishing method that forwards a victim’s login session through attacker-controlled infrastructure in real time. The target interacts with a legitimate site while the attacker captures credentials, MFA responses, cookies, and tokens, making the attack harder to detect than static page cloning.
Expanded Definition
Live proxy phishing is a real-time credential interception technique that sits between the victim and the legitimate service, relaying traffic while collecting usernames, passwords, MFA challenges, session cookies, and bearer tokens. Unlike a static clone page, the attacker is actively present during the login transaction, which makes detection and response harder because the user is genuinely interacting with the real destination through attacker infrastructure.
In NHI and IAM contexts, the term matters because the attack often ends with a usable session rather than just stolen credentials. That means service dashboards, admin consoles, and automation portals can be reached without reauthentication if tokens are replayable. Guidance across vendors varies on how to classify the technique, but the practical distinction is simple: live proxy phishing is an interception method, not merely a luring method. The relevant defensive lens is session protection, phishing-resistant authentication, and token binding, as reflected in NIST Cybersecurity Framework 2.0 and modern identity assurance practices.
The most common misapplication is treating it as ordinary credential phishing, which occurs when defenders focus only on password resets and ignore stolen session artifacts.
Examples and Use Cases
Implementing defenses against live proxy phishing rigorously often introduces user friction and rollout complexity, requiring organisations to weigh stronger session security against faster access and simpler login flows.
- An employee signs into a cloud console through an attacker-controlled proxy, and the attacker reuses the session cookie to access administrative settings without knowing the password.
- A help desk user completes MFA on a legitimate-looking portal, while the proxy forwards the one-time response in real time and captures the resulting authenticated session.
- A contractor enters SSO credentials on a phishing page, then the attacker uses the live session to pivot into shared SaaS tools and operational dashboards.
- Security teams reviewing the attack path map the event against the NHI lifecycle because tokens and API-adjacent access paths can be abused after initial compromise, a pattern often discussed in the Ultimate Guide to NHIs.
- Organisations implementing phishing-resistant controls use session validation, device binding, and conditional access aligned to NIST Cybersecurity Framework 2.0 to reduce the value of intercepted logins.
In practice, the strongest use case for the term is incident analysis: it helps teams distinguish a plain credential leak from a live theft of an authenticated session.
Why It Matters in NHI Security
Live proxy phishing matters in NHI security because many high-value targets are not just human users but the workflows and tokens that human users unlock. Once an attacker steals a valid browser session, they may inherit access to secrets managers, CI/CD systems, SaaS admin planes, and delegated automation paths. That is especially dangerous in environments where NHI governance is weak, since NHI Mgmt Group reports that 96% of organisations store secrets outside secrets managers in vulnerable locations and 79% have experienced secrets leaks. Those conditions amplify the blast radius of a single successful proxy-based compromise.
Defenders should treat the technique as a control validation problem: if MFA can be relayed, if sessions survive device changes, or if tokens are reusable across contexts, then the identity layer is still exposed. The term also intersects with resilient monitoring because suspicious sign-ins may look legitimate until the post-authentication activity is examined. Organisations that miss these signs often discover the issue only after privileged data access, at which point session theft, token rotation, and access revocation become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Proxy phishing can hijack authenticated AI agent sessions and tool access. |
| NIST CSF 2.0 | PR.AC-7 | Addresses authentication and session protection needed when credentials are relayed in real time. |
| NIST SP 800-63 | Digital identity guidance favors stronger authenticator assurance against real-time relay attacks. |
Require phishing-resistant login and session hardening before agents can use privileged tools.
