Understanding and Defending Against Adversary-in-the-Middle (AiTM) Phishing Attacks

What is an Adversary-in-the-Middle (AiTM) Phishing Attack?

An AiTM phishing attack is a sophisticated form of phishing in which attackers intercept communications between a user and a legitimate service, usually a login page. Unlike standard phishing, AiTM attacks capture session cookies, enabling attackers to bypass Multi-Factor Authentication (MFA) and hijack sessions. In mid-2022, Microsoft reported a widespread AiTM phishing campaign that targeted over 10,000 organisations worldwide.

Attackers sent fake emails mimicking Microsoft 365 login pages. Once users entered their credentials, attackers captured session cookies, bypassed MFA, and used the stolen sessions to initiate fraudulent financial transactions.

How AiTM Phishing Works

• Phishing Email or Link: The attacker sends a seemingly legitimate login link to the victim, typically via email.
• Proxy Website: Clicking the link leads to a proxy site that sits between the victim and the real website.
• Credential & Session Theft: The attacker captures login credentials and the session cookie, allowing them to access the account even with MFA enabled.
• Account Takeover: The attacker uses the session token to impersonate the victim and gain full access.

Key Characteristics of AiTM Attacks

• Bypasses Multi-Factor Authentication (MFA): Even users with MFA are vulnerable.
• Highly Targeted: Often used in spear-phishing campaigns against executives or admins.
• Difficult to Detect: Uses legitimate-looking domains and SSL certificates.

How to Protect Yourself

• Inspect URLs Carefully: Hover over links before clicking. Look for typos, strange domains, or unexpected redirects.
• Use Phishing-Resistant MFA: Consider phishing-resistant methods like FIDO2 (security keys) or certificate-based authentication.
• Enable Conditional Access Policies: Organisations should configure security policies that detect unusual login behaviour (e.g., impossible travel, TOR use).
• Report Suspicious Emails: If you receive an email or link that seems off, report it to the relevant IT Security team immediately.

Keywords

• Primary: AiTM phishing, adversary-in-the-middle attack, MFA bypass
• Secondary: session hijacking, phishing defense, credential theft, Microsoft 365 phishing, spear-phishing attacks, session cookie theft, phishing prevention, secure authentication