Open source reports tracking and discussions with our peers led SEKOIA to uncover an infrastructure of more than 600 servers hosting phishing websites. Leveraging our tools and knowledge on cybercrime forums, SEKOIA analysts went a step further and analysed recents posts for phishing services to find a potential match with the retrieved infrastructure. At the same time, Resecurity published their report on this tool named “**EvilProxy**”. We published our analysis in the [FLINT 2022-049 report](https://app.sekoia.io/intelligence/objects/report--298d84b1-af7c-4f86-8434-f4a4e41cd585).  Our report complements Resecurity analysis and links recent public malicious campaigns to this tool. **Related sources:** - [\[Zscaler\] Large-Scale AiTM Attack targeting enterprise users of Microsoft email services](https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services) - [\[GroupIB\] Roasting 0ktapus: The phishing campaign going after Okta identity credentials](https://blog.group-ib.com/0ktapus) - [\[Resecurity\] EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web](https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web)