Treat the login page as the least reliable signal. Focus on session behaviour after authentication, especially token reuse from unusual locations, device drift, and follow-on mailbox activity. If a kit relays the real site, page fingerprinting and clone detection will miss the attack, so identity telemetry has to carry the detection burden.
Why This Matters for Security Teams
Phishing kits that proxy a real login page defeat the old habit of trusting page look and feel. The attacker is no longer trying to clone the front door perfectly; they are using the legitimate site as a relay, then harvesting the session after the user authenticates. That means browser fingerprinting, typo detection, and static URL checks can all look clean while the compromise is already underway. Current guidance suggests shifting detection to identity and session telemetry, which is consistent with how CISA cyber threat advisories frame phishing as an access problem rather than just a content problem. NHI Management Group’s research on the State of Non-Human Identity Security shows why that mindset matters: only 1.5 out of 10 organisations are highly confident in securing NHIs, which is a warning sign for any team relying on static identity controls alone. In practice, many security teams encounter session theft only after mailbox rules, OAuth grants, or token replay have already expanded the blast radius.
How It Works in Practice
The defensive model needs to assume the login ceremony can be clean while the post-authentication session is hostile. Security teams should evaluate what happens after the credential exchange, not just whether the page is genuine. That includes token binding, device consistency, unusual geolocation, impossible travel, and follow-on actions such as inbox forwarding, consent grants, and API activity. The practical value is that a proxied login often reuses the victim’s legitimate authentication result, so the strongest signal becomes behavioural drift after the fact.
A useful control stack usually includes:
- Risk-based step-up checks when a session is reused from a new device, ASN, or country.
- Short-lived tokens and continuous session validation so stolen artefacts age out quickly.
- Mailbox and OAuth monitoring for suspicious rules, grants, and access patterns.
- Conditional access tied to device posture and workload identity, not just password success.
This is where identity telemetry must extend beyond human logins. If an attacker moves from a human account to app tokens, automation accounts, or delegated access, the same replay problem appears in NHI form. That is why NHI governance and phishing defense now overlap, as discussed in DeepSeek breach analysis and the broader operational lessons in the State of Secrets in AppSec. These controls tend to break down in legacy environments with shared accounts, long-lived refresh tokens, and limited visibility into mailbox or API audit logs because the attacker can blend replayed sessions into normal authentication noise.
Common Variations and Edge Cases
Tighter session controls often increase user friction and analyst workload, so organisations must balance resilience against support burden and false positives. Best practice is evolving for adversary-in-the-middle phishing, but there is no universal standard for every identity stack yet. Some environments can enforce phishing-resistant authentication with device-bound credentials, while others still depend on legacy MFA and must compensate with stronger session monitoring.
A few edge cases matter:
- Push fatigue and MFA prompt bombing can accompany proxy kits, so repeated approval prompts should be treated as an attack signal.
- Browser session hijacking may bypass password resets, so revoking refresh tokens and active sessions is essential after confirmed compromise.
- Service accounts and OAuth apps can be abused after a human login, which means post-authentication review must include non-human access paths.
For teams handling high-risk mailboxes or admin portals, the key question is not whether the page looked real but whether the session behaved like the legitimate user over time. That distinction is especially important where shared devices, remote work, or unmanaged endpoints make device reputation weak and repeated logins normal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Proxy-phishing steals sessions and abuses authenticated actions, a core identity misuse pattern. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stolen tokens and long-lived secrets enable replay and lateral access after phishing. |
| NIST AI RMF | Supports governance for monitoring and responding to identity-driven AI and automation risk. |
Treat post-login session abuse as the primary attack path and require continuous runtime authorization.
Related resources from NHI Mgmt Group
- How should security teams defend against TOAD phishing campaigns that use phone callbacks?
- How should security teams defend against malvertising that targets login pages through search results?
- How should security teams defend against phishing panels that only reveal themselves to real victims?
- How should security teams defend against phishing kits that steal MFA tokens and cookies?
