CybersecurityDefense

Black Hat Europe 2025 | Insights From Phishing-Resistant Authentication

Black Hat
Black HatJun 16, 2026

Why It Matters

The study quantifies a hidden AiTM phishing risk, proving that without phishing‑resistant authentication organizations face undetected account compromise threats that can impact revenue and reputation.

Key Takeaways

  • Phishing‑resistant auth failures reveal hidden adversary‑in‑the‑middle attacks consistently.
  • Study analyzed 3 billion events, finding 0.12% orgs monthly hit.
  • Evil‑proxy campaigns dominate, using commercial cloud hosting and disposable domains.
  • Larger U.S. professional‑service firms face highest engagement rates.
  • Failed FastPass signals can feed incident response and IP‑blocking.

Summary

At Black Hat Europe 2025, Okta researcher Faelan presented a novel methodology that treats failed phishing‑resistant authentication attempts as a high‑fidelity sensor for adversary‑in‑the‑middle (AiTM) phishing. By mining FastPass logs that record cryptographic domain‑mismatch rejections, the team quantified a previously invisible threat vector across thousands of mature enterprises.

The analysis covered 26 months of data—over 3 billion authentication events, 44,000 mismatched request origins, and 190 confirmed malicious domains. After rigorous expert, AI‑assisted, and customer validation, 170 “evil‑proxy” origins accounted for 310 user‑engagement incidents, translating to an average of 0.12% of organizations experiencing at least one AiTM event each month. Traditional MFA proved ineffective against these attacks, underscoring the unique value of phishing‑resistant mechanisms.

Key findings highlighted that attackers rely on commercial cloud and VPS providers (e.g., Akamai, Digital Ocean) and rotate disposable domains to evade detection. Larger U.S. professional‑service firms were disproportionately targeted, and most compromised sessions originated from Microsoft Office 365 applications. The research also demonstrated that many organizations only discovered these events after Okta’s notification, revealing a critical gap in existing security monitoring.

The implications are clear: enterprises must adopt phishing‑resistant authentication, continuously monitor failed FastPass signals, and integrate them into incident‑response workflows for IP blocking and SIEM enrichment. The conservative lower‑bound estimate likely understates the true prevalence, making this a compelling call to close a blind spot that could otherwise lead to costly account takeovers.

Original Description

How many phishing attempts bypass enterprise pre-authentication security, including email gateways, DNS filtering, SASE, SWG, browser security, and endpoint protection, to trick users into malicious logins? And how effectively do current security systems detect and respond to these? While general phishing trends are known, the true impact and organizational defense postures remain unclear.
Analyzing two years of phishing attempts stopped only by phishing-resistant authentication, we quantify a notable volume of attacks that bypass the pre-authentication security layers and successfully trick users. We then dive into events linked to AiTM campaigns using EvilProxy kits, dissecting their patterns across verticals and company sizes, identifying indicators of compromise, and tracking longitudinal trends. As part of our investigation, we also reached out to impacted organizations, with a notable number indicating they hadn't detected these attempts until our notifications.
This work provides crucial, data-driven evidence highlighting the importance of phishing-resistant authentication and exposing many organizations' often mediocre security postures. It transforms failed authentication into actionable threat intelligence, revealing and helping address organizations' actual security gaps.
By: Fei Liu | Principal Emerging Technology Researcher, Okta

Comments

Want to join the conversation?

Loading comments...