Session Cookies vs. 2FA: Why EvilProxy Has Become the APT Group's Weapon of Choice

[BadB]

A technical analysis of Man-in-the-Browser attacks and bypassing multi-factor authentication through session hijacking

Introduction: The Illusion of MFA Security​

Multi-factor authentication (MFA) was long considered an insurmountable barrier for cybercriminals. SMS codes, TOTP apps, hardware keys — all of this was supposed to make account hacking impossible. However, by 2025, it became clear that MFA can be bypassed without hacking it directly.

A key tool for this bypass is session cookie interception. And the main executor is EvilProxy, a phishing platform that has become the de facto standard for APT groups (including Russian and Iranian hacker groups).

In this article, we will conduct an in-depth technical analysis of EvilProxy's architecture, explain why MFA is ineffective here, and how session cookies become the universal key to an account.

Part 1: How MFA Works — and Where It Falls​

MFA Architecture​

1. The user enters the login and password,
2. The system asks for a second factor (SMS, Google Authenticator, Face ID),
3. If the check is successful, the server creates a session cookie,
4. This cookie is sent to the browser and is automatically attached to every request.

Critical vulnerability:
MFA only protects the login process.
After successful authentication, all security is limited to the integrity of the session cookie.

If a carder or hacker obtains this cookie, they gain full access to the account without having to go through MFA again.

Part 2: What is a session cookie?​

A session cookie is a small file stored in the browser that contains a session token (e.g. sessionid=abc123xyz).

Session cookie properties:​

• Lasts until the browser is closed (or until a timeout),
• Automatically sent for every request to the domain,
• Does not require re-authentication,
• It is the only proof of authorization after login.

Example:
After signing in to Gmail, you can read your emails for hours without re-entering your password or OTP.
Why? Because the browser sends the SID=... cookie with every request.

Part 3: EvilProxy – The Architecture of Modern Phishing​

EvilProxy is a Reverse Proxy Phishing Toolkit that allows you to create completely transparent phishing portals.

How EvilProxy works:​

Code:

Victim → Phishing site (evilproxy.com) ↔ Real site (gmail.com)

1. The victim clicks on the link: https://secure-gmail[.]com,
2. EvilProxy dynamically proxies all traffic between the victim and the real Gmail,
3. The victim sees a real SSL certificate, a real interface, real errors,
4. The victim enters the login, password, and even goes through MFA,
5. EvilProxy intercepts the session cookie and stores it,
6. The attacker uses the cookie to log into the account directly - without MFA.

The key point:
The victim goes through MFA themselves, and the attacker simply steals the result.

Part 4: Why MFA is Powerless​

MFA Type	Bypass via EvilProxy
SMS OTP	The victim enters the code → EvilProxy intercepts the cookie
Google Authenticator (TOTP)	Same thing - the code is entered by the victim
FIDO2 / YubiKey	Even hardware keys don't help - the session has already been created
Push Notifications (Microsoft Authenticator)	The victim clicks "Approve" → the cookie is intercepted

Fact:
100% of MFA types are vulnerable to session hijacking attacks.

Why? Because MFA only protects authentication, not authorization.

Part 5: Real-World EvilProxy Use Cases​

APT29 (Cozy Bear, Russia)​

• Used EvilProxy to attack US and EU government institutions in 2023–2024.
• Objective: Access to Microsoft 365, Outlook, SharePoint,
• Method: Phishing emails with fake notifications of “suspicious activity”.

Charming Kitten (Iran)​

• Attacked academic and research centers,
• Used EvilProxy to steal confidential documents,
• Successfully bypassed Duo Security, Okta, Microsoft MFA.

Result:
In both cases, the victims themselves completed MFA, but the sessions were stolen.

Part 6: Technical details of cookie interception​

EvilProxy uses several methods to extract cookies:

HTTP proxying​

• All Set-Cookie headers are intercepted in real time,
• Cookies are stored in the attacker's database.

JavaScript injections​

• Dynamic script injection for reading document.cookies,
• Works even if cookies are marked as HttpOnly.

TLS decryption​

• EvilProxy generates valid certificates via Let's Encrypt,
• Decrypts all HTTPS traffic on the fly.

Protection?
Modern browsers can't distinguish EvilProxy from a legitimate website — the certificate is valid and the content is identical.

Part 7: How to Protect Yourself — and Why It's Difficult​

For organizations:​

• Session Binding: binding a session to an IP, User-Agent, device,
• Short Session Timeouts: Automatic logout after 15 minutes,
• Continuous Authentication: Monitoring post-login behavior.

For regular users:​

• It is impossible to distinguish EvilProxy from the real site,
• URL verification is not sufficient - phishing domains look legitimate (micros0ft-login.com),
• MFA doesn't help - it's already been completed.

The only reliable method:
Never click on links in emails - always enter the URL manually.

Part 8: Why This Matters for Carders​

For those involved in carding or fraud, EvilProxy demonstrates an important principle:

The best way to bypass protection is to get the victim to do it for you.

However:

• EvilProxy requires a high level of OPSEC,
• The use of such tools attracts the attention of APT trackers and law enforcement agencies,
• Most "EvilProxy as a Service" on Telegram are scams or honeypots.

Warning:
Attempting to use EvilProxy without experience is almost guaranteed to result in your hardware being compromised.

Conclusion: The End of the MFA Trust Era​

EvilProxy is more than just a tool. It symbolizes a new era in cybersecurity, where trust in multifactor authentication is no longer justified.

The future of security lies not in complicating logins, but in constant session verification:

• Binding to a device,
• Behavior analysis,
• Automatic termination of suspicious sessions.

For carders, this means:
Old methods of cloning and brute-force attacks are a thing of the past.
The future lies in social engineering and trust hijacking.

Final thought:
In the world of EvilProxy, the most dangerous attack vector isn't a code vulnerability, but human trust.
And as long as people click links, no amount of MFA will save them.

Remain vigilant. Remain skeptical.
And remember: true security begins with being suspicious of anything that asks you to "log in again".