Phishing is no longer limited to using easily identifiable emails or links as attack vectors. Although these techniques are still in use, modern attacks aim to evade more robust security measures, such as two-factor authentication (2FA) or session cookie hijacking. This article will look at how these advanced phishing techniques work and what measures can be taken to mitigate their risks.
Traditional vs. Advanced Phishing
Traditional phishing focuses on stealing basic credentials such as usernames, passwords, or personal information. In order to do so, attackers impersonate an organization or individual, usually through emails or simple web forms.
Advanced phishing, however, relies on more sophisticated tools and techniques designed to bypass security controls and overcome basic user awareness training for identifying malicious emails and domains. These attacks specifically target:
Capturing one-time passwords (OTPs)
Hijacking an active user session without the need to steal credentials or the second authentication factor
Unlike traditional phishing, which is primarily concerned with credential theft, advanced phishing also targets authenticated sessions. This is most commonly achieved through session cookie theft, enabling attackers to fully bypass protections such as two-factor authentication (2FA).
(Free access, no subscription required)
What Are Session Cookies?
Session cookies are identifiers that a server sends to a user’s browser after successful authentication. They allow the application to maintain the user’s session state without requiring re-authentication for every request.
What Are Session Cookies?
Session cookies are identifiers that a server sends to a user’s browser after successful authentication. They allow the application to maintain the user’s session state without requiring re-authentication for every request.
If an attacker manages to capture a session cookie, they can load it into their own browser and effectively impersonate the legitimate user, since the website assumes the session has already been authenticated.
As a result, many modern security strategies no longer focus solely on protecting credentials but also emphasize preventing session hijacking and cookie reuse.
Advanced Phishing Techniques
1. Real-Time Proxy Phishing (Man-in-the-Middle)
This technique uses an intermediary server (proxy) that sits between the victim and the legitimate website.
How it works:
The attacker sends a link that directs the victim to a proxy-controlled page designed to look identical to the legitimate site.
When the victim enters their credentials and 2FA code, the proxy forwards them to the real website while capturing the session cookies.
The attacker then gains real-time access to the user’s account, even with 2FA enabled.
2. 2FA Approval Request “Fatigue” Attacks
This technique does not directly steal the 2FA code. Instead, it overwhelms the user with repeated approval requests. It primarily targets users who rely on push-based authentication methods, where a notification is sent to approve a login attempt.
The attacker first obtains the user’s credentials, typically through traditional phishing or info-stealing malware.
They then initiate multiple login attempts, triggering repeated “Approve Sign-In” notifications in the user’s 2FA application (e.g., Duo, Microsoft Authenticator).
The objective is to exploit user fatigue—causing the user, out of confusion or frustration, to approve one of the requests without careful consideration.
Once a request is approved, the attacker can log in successfully and obtain a valid session cookie, which can later be reused without repeating the authentication process.
This type of attack exploits the trust users place in pop-up windows commonly used for Single Sign-On (SSO) authentication, such as Google or Microsoft logins.
Attackers use a combination of HTML, CSS, and JavaScript to simulate a browser window within the user’s actual browser.
The fraudulent window displays a URL that appears legitimate, but in reality does not correspond to the destination where the user’s credentials are being submitted.
Other Vectors for Session Cookie Compromise
While phishing remains the most common attack vector, session cookies can also be compromised through other technical means:
Phishing combined with XSS: If a website is vulnerable to Cross-Site Scripting (XSS), an attacker can inject malicious scripts to exfiltrate cookies that are not properly protected.
Malware and info stealers: Malicious software installed on a user’s device that searches for locally stored cookies and exfiltrates them to the attacker.
These attack vectors highlight the importance of protecting session cookies not only from the user’s perspective, but also through secure application design and implementation.
Phishing as a Service (PhaaS)
In recent years, there has been significant growth in Phishing as a Service (PhaaS) offerings within underground markets. These platforms operate under a subscription model and allow malicious actors to launch phishing campaigns easily, without requiring advanced technical knowledge.
PhaaS kits and services often integrate advanced techniques such as real-time proxies, session cookie theft, and techniques to bypass multi-factor authentication (2FA). As a result, they enable highly effective and scalable attacks, lowering the barrier to entry for cybercrime and amplifying the reach and impact of large-scale phishing campaigns.
Mitigation and Prevention Measures
For users
Measure
Description
Use FIDO2/WebAuthn-Based 2FA
Prefer physical security keys (hardware tokens) such as YubiKey, which are resistant to Man-in-the-Middle phishing attacks.
Carefully Inspect URLs
Always verify that the URL is legitimate before entering any credentials, even if the site appears identical to the real one.
Keep Software Updated
Ensure that your browser, operating system, and antivirus software are up to date to reduce the risk of cookie theft and other vulnerabilities.
Log Out of Active Sessions
Make it a habit to manually log out of sensitive websites, especially when using shared or public devices.
Use a Password Manager
Use a trusted password manager (e.g., Bitwarden, 1Password, KeePass) to generate and store strong, unique passwords for each site, minimizing the impact of breaches and credential reuse.
For organizations
Strategy
Details
Implement Phishing-Resistant 2FA
Provide authentication methods based on WebAuthn or certificates (e.g., FIDO2, passkeys) that are resistant to phishing attacks.
Anomalous Session Monitoring
Monitor active sessions for unusual changes in geolocation, IP address, or user agent, which may indicate session hijacking.
Use Secure Cookie Attributes
Implement cookies with HttpOnly (to mitigate XSS-based theft) and Secure (to ensure cookies are transmitted only over HTTPS).
Protect Against Cookie Reuse
Bind session cookies to the device, browser, or network context to reduce the risk of reuse by attackers.
Short Session Lifetimes and Re-authentication for Critical Actions
Enforce short session lifetimes and require re-authentication and/or 2FA for sensitive or high-risk actions within the application.
Continuous Training
Conduct regular phishing simulations that include proxy-based attacks and raise awareness of 2FA fatigue techniques.
Enterprise Password Managers
Adopt enterprise-grade password managers that support centralized management, secure credential sharing, and access auditing.
Conclusion
Looking ahead, the threat posed by advanced phishing attacks is expected to continue to grow. These attacks can compromise even users who have two-factor authentication (2FA) enabled, particularly when security awareness is limited.
Adopting phishing-resistant authentication methods such as FIDO2 and passkeys, combined with ongoing vigilance and continuous education for both users and organizations, is essential to effectively mitigate these risks.
