Notifications
Clear all
Topic starter
11/06/2026 11:21 pm
TL;DR: LabHost-style reverse proxy phishing is capturing fresh credentials and MFA tokens in real time, bypassing bot management and blacklist-based defenses, while the operation reached nearly 990,000 Canadians and more than 1.2 million incidents, according to Arkose Labs. The real control gap is session integrity, because valid credentials can now be weaponised before traditional detection sees anything unusual.
NHIMG editorial — based on content published by Arkose Labs: Website Scraping Beyond Bot Management, Why Reverse Proxy Phishing Demands a New Defense Strategy
By the numbers:
- Arkose Labs analysis found that 96% of suspicious phishing domains bypass traditional protection mechanisms like domain reputation lists, blacklists, and spam filters.
- Of the 240 malicious domains Arkose Labs detected in one analysis, 49 were less than 60 days old.
Questions worth separating out
Q: How should security teams stop reverse proxy phishing from bypassing MFA?
A: Use controls that inspect the session path, not just the credential outcome.
Q: Why do bot management controls miss modern phishing attacks?
A: Bot management is tuned for automation, velocity, and known credential stuffing patterns.
Q: What do security teams get wrong about valid credentials?
A: They often treat a valid credential as proof of a trusted actor.
Practitioner guidance
- Add session integrity checks at authentication time Validate the path of the login, not only the credential result.
- Tune fraud and identity signals for fresh credential abuse Assume the attacker is using live credentials and MFA responses minutes after capture.
- Reduce reliance on domain reputation alone Treat blacklist and spam-filter success as one layer, not a control boundary.
What's in the full article
Arkose Labs's full article covers the operational detail this post intentionally leaves for the source:
- The session integrity monitoring approach used to separate direct sign-ins from proxy-mediated authentication.
- The 250-plus risk signals the vendor says it uses to identify live credential theft in progress.
- The difference between active blocking and monitor mode for suspicious authentication journeys.
- Why the vendor argues bot management and phishing protection must be deployed as complementary controls.
👉 Read Arkose Labs' analysis of reverse proxy phishing and session integrity →
Reverse proxy phishing: are your identity controls keeping up?
Explore further
12/06/2026 7:57 am
Session integrity, not bot detection, is now the governance boundary that matters. Bot management was designed for automation, velocity, and known abuse patterns. Reverse proxy phishing bypasses those assumptions by using live interaction and valid MFA responses, which means the login can look normal even when the actor is not trustworthy. The implication is that identity governance must evaluate whether a session is genuinely bound to the intended user, not merely whether a credential was accepted.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: How should IAM and fraud teams respond when phishing uses live sessions?
A: They should focus on containment signals that can act before the attacker completes the session. That means real-time scoring, step-up challenges, and rapid suspension paths for suspicious authentication journeys, plus tighter coordination between IAM and fraud teams so a compromised session is handled as an active incident.
👉 Read our full editorial: Reverse proxy phishing is exposing the limits of bot management
