Skip to main content

Tunnelling Proxies

Updated in 4.3.0

The proxy feature in Evilginx Pro lets you tunnel outbound traffic from the Evilginx server through external SOCKS5 or HTTP proxy servers. HTTP traffic that passes through the Evilginx reverse-proxy during a phishing session can be routed through an external proxy before reaching the destination website.

Why proxy traffic?

  • Evade geolocation-based access controls - for example, Conditional Access policies on Entra ID tenants.
  • Reduce CAPTCHA or fraud challenges - sign-in attempts from unusual countries may trigger CAPTCHAs; tunneling traffic through proxies located in the account's usual regions can help avoid those prompts.

Evilginx Pro lets you create multiple proxy-server configurations on a single server. Those configurations can be applied globally to the whole server, restricted to specific phishlets, or used only for particular lures.

Creating a Proxy

Ensure you are connected to the Evilginx Pro server before you begin.

To create and configure a new proxy you must know the IP address and port number of the SOCKS5/HTTP proxy server you want to use.

note

You can also set up an HTTP proxy, but it should only be used for local testing - for example, to proxy traffic through Burp Suite for troubleshooting.

Keep in mind that using HTTP proxies will prevent the JA4 client-signature spoofing feature from working, which is why HTTP proxies are not recommended for real engagements.

Create a SOCKS5 Proxy

To create a SOCKS5 proxy named myproxy hosted on IP address 1.2.3.4 and listening on port 8000 type:

proxy create myproxy 1.2.3.4 8000

If the SOCKS5 proxy requires authentication, specify the credentials when creating the proxy:

proxy create myproxy 1.2.3.4 8000 my-username "the very complex password!"

Or set credentials afterwards:

proxy set myproxy username my-username
proxy set myproxy password "the very complex password!"

By default, every created proxy configuration will be SOCKS5. To switch a proxy to use HTTP (for local testing, e.g., with Burp Suite), change its type:

proxy set myproxy type http

Updating and Deleting a Proxy

To change any proxy settings, use the proxy set commands. For full syntax and available options, view the built-in help: help proxy.

To delete a proxy, run:

proxy delete myproxy

Deleting a proxy will also remove (unassign) it from any server-wide, phishlet, or lure assignments where it was used.

Using a Proxy

There are three scopes where a configured proxy can be applied:

  • Global - tunnel all outbound connections from the server.
  • Phishlet - tunnel outbound connections created by a specific phishlet.
  • Lure - tunnel outbound connections created when a specific lure is triggered.

These options give you flexibility to choose when and where a particular proxy is used. Proxy precedence (highest to lowest) is:

  1. Lure
  2. Phishlet
  3. Global

For example, to make the default-1 proxy tunnel all outbound connections from the server:

config global_proxy default-1

To force the breakdev/ms365 phishlet to always tunnel outbound connections through the uk-1 proxy (hosted in the United Kingdom) to help evade Conditional Access protections:

phishlets set breakdev/ms365 proxy uk-1

If you need to target a single remote employee who signs in from Germany and you created a lure with ID 27 for them, set the de-1 proxy (hosted in Germany) to be used only when that lure is triggered:

lures set 27 proxy de-1

Because of the precedence rules, the lure proxy will override the phishlet proxy, which in turn overrides the global proxy.

As you can see, you can assign different proxies to phishlets or lures depending on the situation, giving you greater control over the attacker's source (origin) IP address during phishing engagements.

info

There is no need to restart the server after changing proxy configuration or enabling proxies for specific resources. Outbound connections that are already established will not be terminated and will continue using their existing connection method.

Disabling Proxies

To disable a proxy assignment for a specific scope, set that target to an empty string. Examples:

config global_proxy ""
phishlets set breakdev/ms365 proxy ""
lure set 27 proxy ""