06.11.2023
3 min
1878
Learn how phishing proxy technology works, an advanced technique that creates an invisible bridge between a victim and a target site, bypassing two-factor authentication (2FA). This article discusses the practical use of Evilginx3 to intercept passwordless sessions.
Note to readers: The information presented in this material is based on the technical content of the Evilginx Phishing Proxy Development Masterclass (2025) – a practical educational resource specially designed for experienced security professionals, Red Team operators, pentesters and cyber enthusiasts. All mentioned techniques, architectural principles and examples are taken from real-life lab scenarios and training tasks, reflecting modern threats and approaches to implementing phishing proxies through Evilginx3.
The master class covers an in-depth analysis of fishlet configurations: from configuring proxy_hosts, sub_filters, cookie_capture, and auth_token_capture to developing custom solutions for handling complex scenarios with CAPTCHA, MFA, redirects, and SPA interfaces.
The practical part of the course includes a series of laboratory tasks that simulate real proxy attacks, where participants create fishlets adapted for specific services, including Google, Microsoft, AWS, Discord, and others.
The material also uses recommendations for eliminating common errors when creating YAML fishlets, analyzing HTTP/HTTPS headers, and implementing protection against detecting phishing activity.
This content is published for educational purposes only, with respect for the ethical standards of professional cybersecurity.
This repository contains a comprehensive collection of Evilginx3 fishlets that have been carefully designed and tested in real-world environments. The fishlets are intended for use in penetration testing, Red Team operations, and account security assessments in cloud and enterprise environments.
Fishlets are implemented in YAML format and set up a proxy connection between the user and the target web resource, simulating a legitimate session. This allows you to:
Proxy HTTPS connections between the user and the site;
Intercept session tokens, cookies, and HTTP headers;
Bypass modern security mechanisms, including 2FA, CAPTCHA, WebAuthn;
Detect behavioral features of authentication systems.
Fishlets support integration with platforms such as:
Microsoft 365
Google Workspace
AWS Console
Discord
Instagram, Facebook, TikTok, and more.
All templates support flexible configuration: redirect zones, URL filtering, JavaScript scrubbing, and automatic saving of authorization parameters. This allows you to use Evilginx3 as a full-fledged phishing proxy for targeted security testing without the need to intervene in the web server itself.
Fishlets are constantly updated according to changes in the target platforms to remain effective in the current technical environment.
For cybersecurity professionals looking to hone their skills in reverse proxy phishing attacks, Evilginx3 fishlets are the key to implementing high-precision offensive testing tools in practice. With extensive customization capabilities, fishlets allow for flexible session interception schemes and bypassing modern protection mechanisms.
proxy_hosts — determines which domains and resources are proxied through a reverse proxy;
sub_filters — filtering HTML/JS content for URL replacement, scripts, forms;
js_inject — injection of custom JavaScript code to bypass protections and collect data;
auth_urls / login_urls — indicate key entry points where session capture occurs;
cookie_capture / auth_token_capture — mechanisms for capturing session cookies and authorization tokens;
force_post — logic for automatically submitting authentication forms to maintain a seamless login flow.
Proxying HTTPS connections between the victim and the legitimate server;
Intercepting credentials and authorization tokens without visible signs of attack;
Bypassing 2FA, CAPTCHA, FIDO2, by simulating a full browser session;
Using regular expressions to precisely extract the necessary fragments of HTTP requests and responses;
Disguising the phishing session as a familiar user environment.
Fishlets are constantly updated to reflect changes in the structures of popular web platforms. They are effectively used for:
Red Team operations in corporate environments;
demonstrating vulnerabilities during pentest campaigns;
training Blue Team specialists in detecting sophisticated phishing proxies.
Thanks to its flexible configuration structure and extensive injection capabilities, Evilginx3 allows you to simulate even the most complex attacks on services with strong authentication and session control.
name: 'Your First Phishlet'
author: 'Simpler Hacking'
min_ver: '3.2.0'
proxy_hosts:
- { phish_sub: 'www', orig_sub: 'www', domain: '{domain}', session: true, is_landing: true }
sub_filters:
- { hostname: '{hostname}', sub: 'www', domain: '{domain}', search: '{domain}', replace: '{hostname}', mimes: ['text/html', 'application/javascript', 'text/css', 'application/json', 'image/x-icon', 'text/plain', 'application/xml', 'image/*', 'font/*']}
- { hostname: '{hostname}', sub: 'www', domain: '{domain}', search: '{domain}', replace: '{hostname}', mimes: ['application/x-www-form-urlencoded']}
auth_tokens:
- domain: '{domain}'
keys: ['session']
creds:
- key: 'username'
search: ['(.*)']
type: 'post'
- key: 'password'
search: ['(.*)']
type: 'post'
auth_urls:
- url_regex: 'https://{hostname}/login'
valid_statuses: [200]
login:
username: user
password: pass
url: https://www.{domain}/login
# This is just a demo example of a phishlet for 3.2.0
# You can find phishlets here: https://github.com/simplerhacking/Evilginx3-Phishlets
name: Specifies the name of the fishlet.
author: Specifies the author of the fishlet.
min_ver: Specifies the minimum version of Evilginx compatible with your fishlet.
proxy_hosts: Specifies the domain and subdomains for the proxy server. phish_subThis is the subdomain that the phishing page will mimic.
sub_filters: Allows the fishlet to replace instances of the actual domain name with the phishing domain, which is critical for the phishing page to work properly.
auth_tokens: Specifies the cookies that should be retrieved from the victim’s browser to gain access to the victim’s session.
creds: This field specifies the credentials that the fishlet should steal. — keyis the name of the credential (such as a username or password) and searchis the regular expression that the program will use to identify and extract these credentials from the user’s input.
auth_urls: Specifies the URLs that Evilginx will treat as authenticated URLs. Once the victim logs in, Evilginx will look for a redirect to one of these URLs, and then steal the listed auth_tokens files.
login: Here you specify the identifiers of the username and password fields in the login form on the original web page. – url is the link to the page where the victim enters their credentials.
force_post: If set to true, this forces the HTTP method to change from GET to POST.
is_landing: If set to true, this indicates that the page is a landing page for a phishing attack.
js_inject: Here you can write JavaScript code to inject into the web page. This is typically used to enhance the phishing attack and provide a smoother experience for the victim.
domain: This is a template variable used to replace the target hostname used in the fishlet configuration.
The material presented in this article is the result of an in-depth technical analysis and practical application of modern fishlets for Evilginx3. It is based on real-world lab scenarios that take into account the latest challenges in cybersecurity: from bypassing multifactor authentication to fine-tuning proxy communication and intercepting authorization tokens.
The fishlets described here not only demonstrate technical excellence, but also serve as a reliable basis for building your own adaptive solutions – from corporate Red Team modeling to educational training for cyber defenders. YAML templates, filter structure, data capture mechanisms and JavaScript injection – all this forms the core of an advanced phishing platform.
Evilginx3 fishlets are not just scripts, but high-precision tools designed to take into account the smallest details of interaction with target platforms. Their constant updating and adaptation to changes in web interfaces make them invaluable for modern security professionals who strive to act proactively, professionally, and responsibly.
