What is adversary-in-the-Middle (AiTM) phishing?

Adversary-in-the-Middle (AiTM) phishing is an advanced phishing technique where attackers secretly position themselves between a user and a legitimate website to intercept credentials and session data in real time. According to Microsoft, “These attacks possess the capability to maneuver around the security measures of multifactor authentication (MFA) by leveraging reverse-proxy functionality.”

How does AiTM work?

According to The Hacker News, AiTM phishing tricks a user into logging in through an attacker’s system that sits between the victim and the real website. Because the attacker’s site acts as a proxy, the login looks and feels legitimate; however, everything the victim enters on this proxy page goes through the attacker first. The steps of the attack are as follows:

• Proxy sits between user and real site: Attackers host a malicious domain that acts as a reverse web proxy. When a victim clicks on a phishing link, their browser interacts with this middleman, which then sends queries to the legitimate website and returns the authentic results. This makes the displayed login pages and subsequent content appear authentic to the victim.
• Real-time credential and token capture: Since the attacker’s proxy is relaying all HTTP requests and responses, it sees everything the user enters , including usernames, passwords, and MFA codes, as well as the session tokens issued after successful authentication.
• Session takeover: Once a session token has been captured, the attacker can use it to access the victim’s account without triggering another MFA challenge. Since session tokens often remain valid for days or weeks, this allows the attacker to operate as if they were the legitimate user.
• Alternative AiTM variants (e.g., BitM): Some toolkits don’t proxy traffic but instead use browser-in-the-middle techniques (BitM) for example. This lets the attacker harvest credentials and tokens directly without presenting a cloned site.

Read more: Man-in-the-X attacks explained

Common sources of AitM

According to The Hacker News, AiTM phishing attacks typically originate from organized cybercriminal groups that use readily available phishing toolkits and infrastructure to target cloud-based accounts at scale. These sources commonly include:

• Cybercrime groups using phishing toolkits: Many AiTM attacks are launched using off-the-shelf or modified phishing frameworks that act as reverse proxies. These tools lower the technical barrier, allowing attackers to quickly deploy AiTM campaigns targeting services like Microsoft 365.
• Malicious domains and lookalike websites: Attackers register domains that closely resemble legitimate brands or use compromised websites to host their AiTM infrastructure. These domains are often short-lived to avoid detection.
• Email-based phishing campaigns: The primary delivery source is phishing emails that impersonate trusted organizations. These emails typically contain links that route victims through attacker-controlled proxy servers.
• Cloud account–focused attack infrastructure: AiTM phishing is frequently aimed at cloud services, particularly enterprise identity platforms. Attackers build infrastructure specifically designed to intercept cloud authentication traffic and session cookies.
• Browser-in-the-middle attack setups: Some AiTM campaigns originate from environments where attackers trick victims into interacting with attacker-controlled browser sessions, allowing credential and session theft without hosting a traditional phishing page.

Defending against AitM

To defend against Adversary-in-the-Middle (AiTM) phishing attacks, Microsoft emphasizes the importance of advanced detection and response strategies that go beyond traditional email filtering, because these attacks can still bypass MFA by stealing session cookies and hijacking sessions. Microsoft recommends the following:

Monitor third-party network traffic

AiTM attacks often generate unusual network activity that can be detected by analyzing logs from security devices such as firewalls, secure web gateways, or network proxies. Correlating phishing alerts with this network data can help identify suspicious connections soon after a user clicks a phishing link.

Correlate signals from different sources

By linking phishing event data with user sign-in logs and network traffic, organizations can detect when a user interacts with a malicious site and then successfully authenticates to the real service, which is a strong sign of AiTM activity.

Detect risky sign-ins from unusual devices or locations

Identifying successful sign-ins that follow suspicious network behavior or originate from unfamiliar devices or geographic locations helps catch attackers using stolen credentials or session tokens.

Automate attack disruption

Once a potential AiTM compromise is detected, automated measures can be triggered to reduce risk. These measures can include disabling affected accounts, revoking active sessions, or enforcing credential resets in order to swiftly block attackers’ access.

Use automated response playbooks

Security teams can employ automated workflows to respond consistently to AiTM alerts. These playbooks can include actions like blocking malicious IP addresses, quarantining compromised devices, and notifying users to take corrective steps.

Together, these strategies enable organizations to detect AiTM phishing attacks earlier, reduce false alarms, and respond faster, preventing attackers from bypassing multifactor authentication and maintaining unauthorized access.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What are common targets of AiTM phishing?

AiTM phishing often targets cloud services and enterprise accounts, such as email platforms, business collaboration tools, and other online services that require secure login.

Is multi-factor authentication still useful against AiTM phishing?

While MFA greatly improves security, AiTM phishing can bypass some MFA methods by capturing the authentication tokens. Stronger phishing-resistant MFA, like hardware security keys, provides better protection.

What should users do if they suspect they have fallen victim to AiTM phishing?

Users should immediately report the incident, change their passwords, review recent account activity, and follow their organization’s incident response guidance.