Proxy
The proxy section lists the real hostnames the reverse proxy serves on behalf of the target. Each entry maps an original hostname (e.g. login.microsoftonline.com) to a phishing subdomain under the phishlet's main phishing domain.
Whenever the proxy sees one of these original hostnames inside proxied HTML, JavaScript, JSON, or HTTP headers, it rewrites it to the corresponding phishing hostname so links continue to flow through the proxy.
Shape
proxy: {
hosts: [
{ hostname: "login.microsoftonline.com" }
{ hostname: "aadcdn.msftauth.net", proxy_subdomain: "cdn-1" }
{ hostname: "events.upstream.example.com", port: 8443 }
]
}
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
hostname | string | yes | — | The original hostname to intercept and proxy. Hostnames are lowercased internally. Supports ${param} substitution. |
proxy_subdomain | string | no | first label of hostname | The subdomain prefix used to build the phishing hostname. With phishing domain phish.dom, a proxy_subdomain of login produces login.phish.dom. |
port | int | no | 443 | The upstream TCP port the proxy connects to. |
Subdomain assignment rules
- Omitting
proxy_subdomainuses the first label ofhostname. For example,hostname: "akira.lab.evilginx.com"is served asakira.<phishing-domain>by default. - Multiple hosts colliding on the same subdomain are resolved by auto-suffixing with a digit. If two entries both resolve to
akira, the second becomesakira1, the thirdakira2, and so on. - Explicitly setting an empty
proxy_subdomain(proxy_subdomain: "") fails validation at load time with"`proxy_subdomain` cannot be empty". To use the default, omit the field entirely.
Generic prefixes like cdn-1, sso, or events keep phishing hostnames short and forgettable, which can reduce visual fingerprinting. They also conveniently group related CDN or telemetry hosts in the address bar.
Effect
For every entry in hosts, the proxy will:
- Listen for HTTPS traffic at the generated phishing hostname.
- Forward each request to the original
hostnameon the configuredport(default 443). - Replace occurrences of the original hostname in proxied content with the phishing hostname, so subsequent requests stay on the proxy.
Hostnames are also used to compute the effective TLD+1 (e.g. microsoftonline.com) for domain-scoped cookie handling.
Example
A minimal lab phishlet for akira.lab.evilginx.com plus two sibling subdomains, parameterized by the lab domain:
{
landing_url: "https://akira.${lab-domain}/"
params: [
{ name: "lab-domain", value: "lab.evilginx.com", required: true }
]
proxy: {
hosts: [
{ hostname: "akira.${lab-domain}" }
{ hostname: "bladerunner.${lab-domain}" }
{ hostname: "${lab-domain}", proxy_subdomain: "root" }
]
}
}
The third entry sets proxy_subdomain: "root" because ${lab-domain} has no subdomain prefix to copy from on its own.