← All articles

EvilGinx and adversary-in-the-middle phishing, explained

GottaPhish Team · July 8, 2026

Multi-factor authentication was supposed to make stolen passwords worthless. Adversary-in-the-middle (AiTM) phishing — popularised by open-source frameworks like EvilGinx — quietly broke that assumption by stealing the session, not the password. Understanding how it works is the first step to defending against it.

What adversary-in-the-middle phishing is

Classic phishing shows the victim a static clone of a login page and simply records whatever they type. It cannot handle a live one-time code, and it cannot pass a real MFA challenge.

AiTM phishing removes that limitation by inserting a reverse proxy between the victim and the genuine site. The attacker's server does not host a fake page at all — it relays the real one:

Victim → login.micros0ft-verify.example (attacker proxy) → login.microsoftonline.com

Every request the victim makes is forwarded to the legitimate service, and every response is passed back. The victim sees the authentic login flow — real branding, real error messages, real MFA prompts — because they are, in fact, talking to the real service, just through a relay that reads everything in transit.

Why it defeats OTP and push

The critical insight is that the attacker is not trying to know your password or your code. They are trying to capture what the successful login produces: the authenticated session cookie.

At that point the OTP has already done its job and is worthless to replay. The attacker imports the stolen cookie into their own browser and is logged in as the user — no password, no code, no second prompt. This is why SMS codes, TOTP authenticator apps, and push approvals all fall to a competent AiTM setup: each is a shared secret the human can be tricked into relaying in real time.

The MFA prompt the victim approved was genuine. That is precisely what makes AiTM so effective — nothing looks wrong to the user, and nothing looks wrong to the identity provider.

Why existing defenses struggle

The real fix: phishing-resistant MFA

AiTM works because the second factor travels through the attacker. Remove that possibility and the attack collapses. FIDO2 / WebAuthn and passkeys bind the credential cryptographically to the exact web origin it was registered for:

Credential registered for : https://login.microsoftonline.com
Browser sees origin       : https://login.micros0ft-verify.example
→ origin mismatch → the authenticator refuses to sign → login fails

There is no code to relay and no cookie to harvest, because authentication never succeeds against the wrong origin. The browser enforces this — not the user. Complementary controls harden the rest:

The goal is phishing-resistant MFA as required, not merely available — any phishable fallback is a path attackers will steer users toward.

How GottaPhish automates AiTM simulations

AiTM attacks defeat OTP and push MFA by relaying the session in real time, and no proxy or filter alone reliably closes that gap. GottaPhish and its expert support team reproduce adversary-in-the-middle scenarios automatically and safely inside authorized simulations — there is no attacker infrastructure for your team to stand up, host, or tear down. We demonstrate, with full auditing, how OTP and push MFA fall to a real proxy while phishing-resistant credentials hold, giving you measurable exposure data per user, department, and role; our experts help you design the scenarios, set up the campaigns, and interpret the results. That evidence makes the business case for FIDO2/passkeys concrete, and our reporting tracks adoption alongside your click and report rates so you can prove the phishable gap is genuinely closing — not just that a policy exists on paper.