Skip to content

What is realtime phishing?

Realtime phishing, otherwise referred to as Man-in-the-Middle (MitM) phishing, is a type of novel phishing attack that tricks a victim into accessing a proxy server (a server that acts as an intermediary) controlled by an attacker. The attack relays network traffic to and from the victim’s browser to the legitimate website. Essentially, to the victim, the realtime phishing proxy pretends to be the legitimate website, and to the legitimate website, the realtime phishing proxy pretends to be the legitimate user.

Diagram depicting a realtime phishing attack

The anatomy of a typical phishing attack

Phishing is a technique nearly as old as the internet itself, garnering a great deal of reputation in the late 90s as being one of the most trivial tactics to gain access to sensitive information and systems or many forms of financial crime that we have come to know and defend against.

There often tends to be a certain predisposition towards phishing as being a stale and dated technique that has not evolved technologically. This is likely because attackers didn’t need to innovate much–after all, if it ain’t broke, don’t fix it. However, things are changing–improved end-user security awareness and the growing popularity of two-factor authentication (2FA) are giving rise to the emerging technique of realtime phishing. Realtime phishing enables attackers to run far more effective phishing campaigns that can bypass the vast majority of 2FA methods used today.

Historically, the most common way for cybercriminals to host a phishing page would be to serve a static phishing website through a phishing kit. This would typically either be hosted on a shady web server set up by the attackers themselves, or a legitimate web server that was compromised through another security vulnerability.

Phishing kits tend to provide a variety of pre-built static templates (similar to open source projects such as zphisher) that make it quick for cybercriminals to run phishing campaigns. However, attackers face several limitations with static phishing templates.

  • Functionality such as login, logout, and forgot password can be finicky and would require the attacker to recreate the functionality for each template;
  • Visual changes to the website being cloned need to be updated shortly after to remain effective–something pretty important given how dynamic and personalized modern websites tend to be;
  • Increasing the number of phishing pages brings with it a noticeable maintenance overhead resulting in either broken templates or simply limited selection;
  • Bypassing and supporting two-factor authentication (2FA) and Single sign-on (SSO) becomes ever more difficult especially at any meaningful scale.

Taking a look at zphiser’s Google phishing kit we can several aesthetical differences.

Aesthetical differences between a phishing kit static template and the real website

The man in the middle

In response to the limitations with static phishing kits, the explosive growth of HTTPS (as a result of the success of Let’s Encrypt), and the rise in popularity of two-factor authentication (2FA), attackers are turning to realtime phishing as a much more effective phishing technique. The Threat Research team over at Microsoft summarizes the technique elegantly.

“One particular phishing campaign in 2019 took impersonation to the next level. Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site.”

The quiet evolution of phishing, Office 365 Threat Research Team, Microsoft

Realtime phishing unlocks many benefits for attackers.

  • The phishing website’s functionality is identical to the target website; no longer needing to implement the website’s functionality (for example login, logout, and forgot password flows);
  • If the target website changes its entire look and feel, the realtime phishing proxy will automatically reflect it;
  • Most importantly, an attacker can use realtime phishing to bypass two-factor authentication and Single sign-on.

Since building realtime phishing proxies is notoriously difficult to achieve and scale, attackers would typically make use of open-source realtime phishing proxies such as Evilginx. Having said this, if you’re looking to simulate realtime phishing attacks within your organization, you’re probably better off with an end-to-end phishing simulation solution.

To get a better idea of what this might look like, take a look at the following demo video of Phinn, our realtime phishing simulation proxy. In this example, we are simulating a realtime phishing attack on Microsoft Office 365 (although this could have been practically any other website). The victim in this realtime phishing simulation is going through a regular authentication flow as well as completing the two-factor authentication (2FA) process through the authenticator application residing on an entirely separate device. The look, feel and behavior are indistinguishable from the real login page–the only indication that this is not the real deal is the address in the browser’s URL bar.


Realtime phishing is a phishing technique that makes it much harder for end-users to spot and allows attackers to bypass security controls such as two-factor authentication (2FA) and Single sign-on (SSO) in many situations.

Is your organization ready to respond to realtime phishing attacks? Take PhishDeck for a spin and get started with out-of-the-box realtime phishing simulation in under two minutes.