A phishing method where an attacker places an intermediary server between the user and the real login service. The user signs in on a fake site that relays the authentication flow, allowing the attacker to capture live credentials and often MFA tokens during the legitimate session.
Expanded Definition
reverse proxy phishing is a session interception technique that sits between a user and a legitimate login service, relaying the authentication flow in real time so the attacker can capture credentials, session cookies, and sometimes MFA assertions. In NHI and IAM discussions, it is best understood as an adversary-in-the-middle pattern rather than a simple fake login page.
Usage in the industry is still evolving because different vendors group this technique under adversary-in-the-middle, AiTM, or session hijacking. The practical distinction is that the victim completes a genuine authentication ceremony, which makes the attack harder to detect than static credential theft. That is why controls focused on phishing-resistant authentication, token binding, conditional access, and device trust matter more than password policy alone. The NIST Cybersecurity Framework 2.0 remains useful as a governance anchor for reducing identity compromise risk, but it does not name this attack pattern explicitly.
The most common misapplication is treating reverse proxy phishing as ordinary credential stuffing, which occurs when defenders look only for reused passwords instead of live interception of an active sign-in session.
Examples and Use Cases
Implementing phishing-resistant access controls rigorously often introduces user friction and platform constraints, requiring organisations to weigh session security against deployment complexity.
- An attacker clones a Microsoft 365 sign-in experience, forwards the real login to the target service, and captures the authenticated session before the user notices the proxy behavior.
- A cloud admin authenticates through a malicious intermediary, giving the attacker a usable session token that can bypass password reset until the token expires or is revoked.
- A service desk agent is prompted to complete MFA on a fake portal, but the proxy relays the challenge to the real IdP and harvests the resulting live approval.
- An enterprise detects impossible travel only after the attacker reuses a session cookie from a geographically distinct location, showing why Ultimate Guide to NHIs emphasizes lifecycle visibility and access governance for every identity type.
- Security teams harden browser and IdP controls using guidance from the NIST Cybersecurity Framework 2.0, then add phishing-resistant MFA to block token replay paths.
Why It Matters in NHI Security
Reverse proxy phishing matters because it defeats controls that assume the authenticator is the only point of compromise. Once an attacker holds a live session, they may impersonate a human user or reach downstream NHI assets such as admin consoles, cloud control planes, CI/CD systems, and secret stores. That creates direct exposure for API keys, service accounts, certificates, and automation workflows that depend on a trusted session boundary.
This is especially dangerous in environments already struggling with secret hygiene. NHIMG reports that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, while 96% store secrets outside secrets managers in vulnerable locations. In that context, a successful proxy phishing event can become the first step in broader NHI compromise, not just account takeover. The Ultimate Guide to NHIs is clear that visibility, rotation, and Zero Trust discipline are essential because compromised sessions often expose more than one identity class at once.
Organisations typically encounter the operational reality of reverse proxy phishing only after a session is abused to reach privileged systems, at which point token revocation and credential rotation become unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AiTM-style phishing undermines identity assurance and session trust in agentic access flows. | |
| NIST CSF 2.0 | PR.AC-7 | Identity proofing and access enforcement are central when attackers relay legitimate sign-ins. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero Trust assumes sessions can be compromised and must be revalidated continuously. |
Use phishing-resistant auth and session binding to prevent stolen live sessions from authorizing agents.
Related resources from NHI Mgmt Group
- Why do phishing kits with reverse-proxy flows still bypass MFA?
- When is a reverse proxy better than a VPN for access control?
- What is the difference between a managed gateway and a reverse proxy in front of a gateway?
- How should security teams govern access when using a reverse proxy as the control point?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
