There is a new front door into the enterprise, and cybercriminals are walking through it with stolen sessions, not just stolen passwords.
For years, security teams told users to watch for fake login pages. The assumption was simple: if the attacker stole the password, multi-factor authentication (MFA) would still stop the attack. That assumption is collapsing.
Today’s more dangerous email account compromise often starts with proxy phishing, also known as adversary-in-the-middle phishing, where the attacker does not merely imitate the login page; they place a live proxy between the user and the real login service.
The victim thinks they are logging into Microsoft 365, Google Workspace, Coinbase, File Share and other online services, credit unions and community banks, or another trusted service. In reality, every keystroke, redirect, MFA prompt -- think one time code send by text message or email -- and authentication response is passing through attacker-controlled infrastructure temporarily. The user enters the password, the real service asks for one time code, the user approves it, the attacker captures the session cookie or token, and steps into the account as if they are the legitimate user.
Threat actors are using this type of reverse proxy to intercept credentials and authentication tokens (think, the long string of digits that is in your web browser when you log in to your online services).
To make it easy, cybercriminals build tools to make doing this “out-of-the-box”. One tool is called EvilProxy which is a package the cybercriminals can use to conduct this type of reverse proxy to fetch legitimate login session authentication tokens and harvest valid session tokens that can bypass username, password, and 2 factor authentication security.
That is why proxy phishing is so dangerous. It does not need to “break” MFA; it just rides through the front door with the user. And it is spreading fast. Industry reporting has tracked a major rise in phishing-as-a-service kits such as EvilProxy, Tycoon 2FA, and Sneaky 2FA, which put advanced MFA-bypass tactics into the hands of lower-skilled criminals. Industry reports cite millions phishing-as-a-service attacks in 2025 along, increasing in 2026, using tools including Tycoon 2FA, EvilProxy, and Sneaky 2FA.
Proxy phishing has moved from exotic to industrialized, with some industry data points indicating as much as a tenfold increase over the last year.
But the proxy phish is still only the opening act. Once the account is compromised, the real work begins…
The criminal does not always immediately launch the fake invoice or wire fraud. The smarter operator waits, reads, searches, learns the cadence of the business, studies who approves payments, who sends contracts, who signs documents, who trusts whom, which supplier conversations are active, which data room links matter, which files are sensitive, and which customer relationships can be weaponized.
This is the reconnaissance phase – quiet and patient. It is often invisible to endpoint tools because the attacker is no longer smashing through a perimeter. They are inside a trusted account, wearing a trusted identity, reading trusted content.
RAPTOR™ AI by RPost was built for this moment. RAPTOR™ AI Threat Intelligence focuses on the stage after the hook is in, but before the steal. RPost calls this PRE-Crime™ preemptive cybersecurity - finding the preparation phase early enough to disrupt the crime before the lure is launched. Most security tools wait for malware, suspicious endpoint behavior, credential theft, or a payment fraud event. Rocky looks at signals that occur much earlier - the reconnaissance phase.
This matters because modern email account compromise is not just an email problem; it becomes a content intelligence problem, and the compromised account becomes a surveillance post. From there, the attacker can observe email threads, shared files, eSignature workflows, document routing, supplier exchanges, customer communications, and data room access. These are the places where business trust lives. These are the places criminals mine before they strike.
RAPTOR AI looks across those communications, documents, transactions, file shares, forms, eSignatures, and content interactions to detect the faint signals that a criminal may be studying the organization. A single IP address may not tell the story. A language setting may not tell the story. A referrer pattern, browser artifact, geolocation mismatch, unusual timing pattern, or repeated access behavior may not tell the story alone. But together, they can form a fingerprint.
That is the difference between alerting and intelligence.
The RAPTOR AI Cyber Intelligence architecture is designed to preserve protocol-derived signals, enrich them with context, reason over relationships, reduce false positives, and then recursively hunt for hidden patterns that may indicate cybercriminal activity. The model is intended to reduce noise while also uncovering subtle recurring behaviors, such as unrelated VPS IP addresses sharing the same browser-language sequencing, repeated user-agent anomalies, common referrer structures, or hidden relationships across invoice, shipping, signature, and business email compromise reconnaissance activity.
That last part is critical. Proxy phishing gets the criminal into the account, while reconnaissance tells the criminal how to make the attack believable. RAPTOR AI is designed to identify the fingerprints of that reconnaissance before the fake invoice, before the fraudulent signature request, before the impersonated executive instruction, before the supplier payment change, and before the trap closes.
And this is where RPost’s content-centric approach becomes different. Endpoint security is essential, but the attacker’s most valuable intelligence often lives beyond the endpoint, in the flow of business content. Emails, attachments, shared links, forms, signed documents, delivery proofs, encrypted messages, and data room interactions are not just records. To a cybercriminal, they are a map.
RAPTOR AI studies that same map from the defender’s side. Once the RAPTOR AI Cyber Intelligence team identifies recurring forensic fingerprints, those patterns can be categorized and named by risk type, threat type, criminal objective, sophistication, and likely origin. This makes the intelligence operational.
Security teams do not need another generic warning that “something looks suspicious.” They need to know “what kind of threat behavior is emerging, what the attacker appears to be preparing, and where to intervene before the account compromise turns into a business compromise.”
This is why CIOs and CISOs are paying attention. RPost presented its RAPTOR AI PRE-Crime cybersecurity approach at the Gartner CIO Leadership Forum in February. The message is resonating because the threat has changed. The attacker is not only trying to break in; they’re trying to blend in, study, and strike with precision.
For teams attending the Gartner Security & Risk Management Conference on June 1-3, this is the conversation to have at the RPost Threat Intel and Vulnerability Management Village, booth #352:
How do you detect the recon after proxy phishing succeeds?
Proxy phishing is how they get in, reconnaissance is how they learn, and PRE-Crime is how RPost’s RAPTOR AI hunts them before they strike.
May 22, 2026
May 15, 2026
May 08, 2026
May 01, 2026
April 24, 2026
Blog