CISA and FBI Issue Joint Advisory on 'ShadowProxy' Phishing-as-a-Service (PhaaS) Platform

CISA Warns of 'ShadowProxy' Phishing-as-a-Service that Bypasses MFA

HIGH
April 26, 2026
May 5, 2026
6m read
PhishingThreat IntelligenceSecurity Operations

Related Entities(initial)

Organizations

CISAFBI

Products & Tech

Google WorkspaceMicrosoft 365

Other

ShadowProxy

MITRE ATT&CK Techniques

T1111Credential Access

Two-Factor Authentication Interception

T1539Credential Access

Steal Web Session Cookie

T1556.006

Replay-by-Cookie

T1566.002Initial Access

Spearphishing Link

Full Report(when first published)

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint cybersecurity advisory to warn of ShadowProxy, a potent Phishing-as-a-Service (PhaaS) platform. This service, sold via subscription on dark web forums, dramatically lowers the barrier to entry for sophisticated credential theft by providing all the necessary tools and infrastructure. ShadowProxy's most dangerous feature is its ability to defeat many common forms of multi-factor authentication (MFA). It achieves this by using an adversary-in-the-middle (AiTM) reverse proxy technique. This method allows the platform to intercept not just usernames and passwords, but also the valuable session cookie generated after a legitimate user successfully authenticates with their second factor. By stealing this cookie, attackers can bypass MFA entirely and hijack the user's authenticated session, gaining access to critical services like Microsoft 365 and Google Workspace.

Threat Overview

  • Threat: ShadowProxy Phishing-as-a-Service (PhaaS) platform.
  • Mechanism: Adversary-in-the-Middle (AiTM) reverse proxy.
  • Objective: Credential and session cookie theft to bypass MFA.
  • Targets: Users of major cloud services, primarily Microsoft 365 and Google Workspace.
  • Accessibility: Sold as a subscription service, making advanced phishing capabilities available to a broad range of threat actors, regardless of their technical skill.
  • Impact: Full compromise of user accounts, leading to data breaches, business email compromise (BEC), and further internal network compromise.

Technical Analysis

The ShadowProxy platform automates the complex AiTM attack flow:

  1. Phishing Email: The attacker, using ShadowProxy's tools, sends a phishing email to a target. The email contains a link that points to the ShadowProxy reverse proxy server instead of the legitimate service. (T1566.002 - Spearphishing Link)
  2. Reverse Proxy: When the victim clicks the link, they are connected to the ShadowProxy server. This server forwards the victim's request to the real login page (e.g., login.microsoftonline.com) and presents the real page back to the victim. The victim sees the legitimate login page and URL (though the initial domain is the attacker's).
  3. Credential Interception: The victim enters their username and password. The ShadowProxy proxy intercepts these credentials as they are passed through to the real site.
  4. MFA Interception: The legitimate site, having received valid credentials, prompts for MFA (e.g., an SMS code, authenticator app number). This prompt is passed through the proxy to the victim. The victim enters their MFA code.
  5. Session Cookie Theft: The proxy forwards the MFA code to the legitimate site. The site validates it and, in response, sends back a session cookie to establish an authenticated session. This is the critical step. The ShadowProxy server intercepts this session cookie before it reaches the victim's browser.
  6. Account Takeover: The attacker now has the victim's username, password, and, most importantly, the session cookie. They can inject this cookie into their own browser to access the victim's account without needing to re-authenticate or provide MFA. (T1539 - Steal Web Session Cookie)

This technique effectively bypasses MFA methods that are code or push-based, as the attacker is hijacking the final, authenticated session itself.

Impact Assessment

  • MFA Becomes Ineffective: The primary impact is that it renders many common MFA implementations useless, eroding the security of what is considered a foundational control.
  • Widespread Account Compromise: Enables large-scale takeover of corporate email and cloud accounts.
  • Business Email Compromise (BEC): Attackers can use hijacked email accounts to launch convincing BEC attacks, such as fraudulent wire transfer requests.
  • Data Exfiltration: Full access to cloud accounts (Microsoft 365, Google Workspace) means attackers can steal vast amounts of sensitive data from email, SharePoint, OneDrive, etc.
  • Downstream Attacks: A compromised account is often used as a beachhead to launch further attacks within the organization's network.

IOCs — Directly from Articles

The CISA advisory contains technical details and TTPs, but specific IOCs like domains and IPs used by ShadowProxy were not listed in the summary articles.

Cyber Observables — Hunting Hints

Detecting AiTM phishing requires looking for subtle clues and network-level indicators.

Type
url_pattern
Value / Pattern
Typosquatted or lookalike domains in email links (e.g., login-microsft.com instead of login.microsoft.com).
Description
The initial phishing link cannot be the real domain.
Context
Email security gateway logs and user awareness.
Confidence
high
Type
log_source
Value / Pattern
Azure AD Sign-in Logs showing an authentication from an unexpected location or IP.
Description
A successful session hijacking will result in the attacker's IP accessing the account.
Context
Azure AD / Entra ID sign-in logs.
Confidence
high
Type
other
Value / Pattern
Mismatched session location and authentication location.
Description
A sign-in log may show authentication from a known location (the victim) but subsequent activity from an anomalous location (the attacker).
Context
SIEM correlation of sign-in logs.
Confidence
high
Type
certificate_subject
Value / Pattern
SSL certificates for phishing domains that try to mimic the target brand.
Description
Attackers use valid SSL certs to make their sites look legitimate.
Context
Certificate Transparency log monitoring.
Confidence
medium

Detection & Response

Detection:

  • Conditional Access Policies: Configure Azure AD/Entra ID Conditional Access to flag or block sign-ins where properties don't match (e.g., IP address, device compliance). A session starting from a non-compliant device after a successful MFA prompt is a huge red flag.
  • Log Analysis: Actively monitor sign-in logs for impossible travel scenarios, sign-ins from anonymous proxy services, and other anomalies. (D3-UGLPA: User Geolocation Logon Pattern Analysis)
  • Enhanced Email Filtering: Use email security solutions that can analyze links at time-of-click to detect redirects to phishing sites.

Response:

  • If a compromised session is detected, immediately initiate a 'sign-out all sessions' command for the affected user account.
  • Force a password reset for the user.
  • Investigate all activity performed by the attacker during the hijacked session.

Mitigation

The key to defeating AiTM attacks is to use MFA that is resistant to proxying.

  1. Phishing-Resistant MFA: This is the most critical mitigation. CISA and the FBI strongly recommend implementing phishing-resistant MFA. This ties the authentication challenge to the device the user is on, which cannot be proxied. Examples include:
    • FIDO2/WebAuthn: Using hardware security keys (e.g., YubiKey) or platform authenticators (e.g., Windows Hello, Face ID/Touch ID).
    • Certificate-Based Authentication: Smart cards or device-based certificates.
  2. User Training: Educate users to be suspicious of login pages where the URL is not the correct, legitimate domain. Train them to inspect the address bar before entering credentials.
  3. Conditional Access Policies: Implement strict Conditional Access Policies that require logins to come from trusted, compliant, and managed devices. This can prevent a stolen session cookie from being used on an attacker's machine.
  4. Limit Session Lifetimes: Configure shorter session lifetimes to reduce the window of opportunity for an attacker to use a stolen cookie.

Timeline of Events

1
April 26, 2026
CISA and the FBI issue a joint advisory warning about the ShadowProxy PhaaS platform.
2
April 26, 2026
This article was published

Article Updates

May 5, 2026

Severity increased

Microsoft details a large-scale AiTM phishing campaign targeting 35,000 users, bypassing MFA with 'code of conduct' lures. US healthcare, finance, and professional services impacted.

Microsoft Threat Intelligence has reported on a significant AiTM phishing campaign active from April 14-16, 2026, impacting 35,000 users across 13,000 organizations, primarily in the US healthcare, financial, and professional services sectors. The attackers used sophisticated 'code of conduct' themed lures, PDF attachments, and CAPTCHA to evade detection. This campaign highlights the real-world impact of AiTM techniques, stealing session tokens to bypass MFA. New hunting hints include Azure AD Event 50126 and headless browser patterns. Microsoft also noted a 146% surge in QR code phishing.

Update Sources:
thehackernews.comMicrosoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries
microsoft.comBreaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
helpnetsecurity.comMicrosoft: Phishing campaign used fake compliance notices to compromise employee accounts

Timeline of Events

1
April 26, 2026

CISA and the FBI issue a joint advisory warning about the ShadowProxy PhaaS platform.

Sources & References(when first published)

Joint Cybersecurity Advisory on ShadowProxy Phishing-as-a-Service
cisa.govApril 26, 2026
'ShadowProxy' Phishing Service Lets Anyone Bypass MFA
krebsonsecurity.comApril 26, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AiTMCISAFBIMFAPhaaSPhishingSession HijackingShadowProxy

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.