Stopping Reverse-Proxy Phishing: A Visual Guide to the MFA Bypass Threat

Reverse-proxy phishing is an advanced attack technique where a fraudster positions a proxy server between a consumer and a legitimate website. Unlike traditional phishing, which uses a static fake site to steal credentials, a reverse proxy silently intercepts and forwards traffic to the real site in real time — capturing usernames, passwords, one-time passcodes and session tokens while the consumer believes they are interacting with their actual bank or service provider.

Standard MFA methods such as SMS codes and email one-time passcodes are designed to prevent unauthorized access using stolen passwords. However, reverse-proxy phishing captures MFA codes at the exact moment the consumer enters them, forwarding the code to the legitimate site before it expires. The attacker is then authenticated and holds an active session cookie — giving them full account access even after the MFA step completes successfully.

Arkose Phishing Protection is a component of the Arkose Titan platform that detects and blocks reverse-proxy phishing attempts in real time. It uses cryptographic token verification — which reverse proxies cannot replicate — alongside more than 225 device, behavioral and traffic signals to identify phishing sessions as they occur. Security teams can configure it to either block suspicious sessions immediately or flag them for downstream analysis.