Attackers employ malicious proxy servers, known as Evil Proxies, which exploit techniques like Reverse Proxy and Cookie Injection to intercept and manipulate communication between clients and legitimate servers, bypassing two-factor authentication from major vendors such as GitHub, Apple, and Google. Some services even offer "Phishing-as-a-Service" (PhaaS) to simplify the execution of phishing campaigns by automating crucial aspects of the attack, targeting sensitive data like credentials and session tokens. Evil Proxies can impersonate trusted services to deceive users into providing their login details, and tools like evilginx2 are used to demonstrate the effectiveness of such attacks. To counter these threats, organizations are encouraged to use identity management logs for threat detection, monitor network traffic for anomalies, and employ Threat Intelligence sources to identify and mitigate malicious activities. Protective measures such as conditional access, employee training, and the principle of least privilege are recommended to enhance security and minimize the risk of unauthorized access, as no single defense mechanism, including MFA, can entirely eliminate threats.