What Is Adversary-in-the-Middle Phishing?

Adversary-in-the-Middle (AiTM) phishing is a sophisticated cyberattack in which threat actors position themselves between a user and a legitimate authentication service to intercept credentials and session tokens in real time. Unlike traditional credential harvesting phishing that relies on fake login pages, AiTM attacks use reverse proxy infrastructure to relay the user's authentication request to the legitimate service while capturing credentials, multi-factor authentication (MFA) codes, and session cookies as they are generated. The attacker then replays the captured session to gain unauthorized account access, effectively bypassing MFA protections.

How does adversary-in-the-middle phishing work?

AiTM phishing operates through real-time session relay, distinguishing it fundamentally from traditional phishing by capturing authentication credentials after MFA validation.

Proxy deployment

The attacker sets up reverse proxy infrastructure using open-source kits like Evilginx, EvilProxy, or commercial PhaaS platforms like Tycoon 2FA positioned between the victim's browser and the legitimate authentication service.

Phishing delivery

The attacker sends phishing email or message with link to proxy-controlled domain that mimics legitimate service, for example "m365-verify.com" instead of "microsoft.com."

Real-time session relay

The user enters username and password into attacker's proxy-hosted login form. The proxy immediately forwards credentials to legitimate service such as Microsoft 365. The legitimate service validates credentials and generates MFA challenge. The user completes MFA including TOTP code, biometric, or push notification. The MFA response is relayed back through proxy to legitimate service. The legitimate service authenticates the proxy connection. In the critical step, the proxy captures the resulting session cookie or token.

Account access

The attacker replays captured session cookie to impersonate the legitimate user, gaining full account access without needing the password or MFA credentials.

Post-compromise activity

Attackers engage in email forwarding rules, administrative access, data exfiltration, Business Email Compromise (BEC), ransomware deployment, and lateral movement.

Why it works

Session cookies are generated after MFA is satisfied, so replaying them bypasses MFA entirely. The user may not detect proxy interception if the proxy relays legitimate responses quickly and accurately. The attacker's fake login page looks identical to legitimate service. Stolen session cookies valid for hours or days give attacker extended access window.

Key technical distinction from traditional phishing

Traditional phishing involves user entering credentials, attacker storing password, and attempting login later, which is blocked by MFA. AiTM phishing involves user entering credentials, attacker relaying to real service, capturing live session token, and using token immediately, which bypasses MFA.

How does adversary-in-the-middle phishing differ from other attacks?

AiTM phishing is the only phishing variant that effectively bypasses standard MFA by capturing the session token after MFA is satisfied. All other phishing variants are blocked by MFA because they cannot capture the MFA response in real time according to Proofpoint's 2025, Microsoft's 2023, and Canadian Centre for Cyber Security's 2025 guidance.

Why does adversary-in-the-middle phishing matter?

AiTM phishing has emerged as one of the most dangerous phishing variants, escalating rapidly in 2024-2025 and threatening the effectiveness of standard MFA implementations.

Prevalence and growth

A 146% rise in AiTM attacks occurred throughout 2024 with continued escalation in 2025 according to Lab539 in 2024 and Microsoft threat data. January 2025 AiTM infrastructure spiked up over 30% from July 2024, the busiest month of 2024, and 50% year-on-year increase from January 2024 according to Lab539 and Sekoia.io. A 46% year-over-year surge in AiTM incidents hit finance and iGaming sectors according to Veriff Identity Fraud Report 2025. Over 1 million PhaaS (Phishing-as-a-Service) attacks were detected in first few months of 2025, powered by platforms including Tycoon 2FA and EvilProxy according to multiple sources in 2025.

Shift in attack tactics (2024-2025)

Traditional AiTM phishing involving direct reverse proxy is being replaced by proxy-based AiTM phishing, which is more stealthy and harder to detect. By mid-2024, cyber defenders detected many more campaigns after adding detection capabilities, correlating with a decline in traditional AiTM detection. Between December 2024 and June 2025, proxy-based AiTM attacks dominated at 67 to 100% of AiTM infrastructure according to Lab539 and Microsoft.

Dominant phishing kits (Q1 2025)

The most prevalent platforms include Tycoon 2FA (PhaaS platform), EvilProxy (PhaaS platform), Evilginx (open-source, remains widespread), NakedPages (specialized variant), Storm-1167 (APT-linked), and Sneaky 2FA (newer variant) according to Sekoia.io, Lab539, and CrowdStrike threat intelligence in 2025.

Distribution method evolution

Threat actors shifted from QR codes in 2023-2024 to HTML attachments and SVG files for distributing AiTM phishing links in high-volume campaigns according to Sekoia.io in 2025.

Business impact

Compromised accounts frequently lead to significant financial losses via Business Email Compromise (BEC) and ransomware attacks. Average cost per breach involving account compromise is $4.88 million according to IBM Cost of a Data Breach Report 2024. AiTM phishing is increasingly used as initial access vector for ransomware and data exfiltration campaigns.

What are the limitations of adversary-in-the-middle phishing?

Phishing-resistant MFA completely blocks AiTM

FIDO2 and WebAuthn cryptographic keys are bound to the legitimate website domain, so attacker's proxy cannot generate valid cryptographic responses for fake domain, and authentication fails entirely. Windows Hello for Business uses certificate-based authentication that is origin-bound and cannot be relayed or captured. Hardware security keys including YubiKey and others require physical interaction with correct domain, so fake domain fails cryptographic handshake.

Only FIDO2, Windows Hello, and PKI-based authentication are protected against AiTM phishing—TOTP, SMS, and push notifications are not according to NIST SP 800-63-4, Microsoft, and Canadian Cyber Centre in 2025.

Detection and response capabilities

Authentication log analysis can detect impossible travel such as login from different countries in seconds, unusual device fingerprints, and session cookie replay patterns. Behavioral analytics monitor for account access from unexpected locations or times, unusual email rules, and suspicious file access patterns. Proxy detection via network-based detection can identify reverse proxy traffic patterns, SSL certificate inconsistencies, and unusual TLS renegotiation. Email security can detect phishing emails with typosquatted domains, suspicious link redirects, and authentication bypass indicators. Threat intelligence monitors for known AiTM kit infrastructure including malicious proxy IP addresses, C2 domains, and hosting providers.

Attacker constraints

Session token expiration means session cookies have finite lifetime, typically 8 to 24 hours, so attacker must act quickly to exploit captured session. Continuous MFA prompts mean if organization implements conditional access with frequent MFA re-challenges, attacker's session may be invalidated by new MFA requirement. Password changes mean victim may change password post-compromise, and legitimate sessions are invalidated.

Proxy infrastructure cost and complexity mean AiTM attacks require significant technical skill, infrastructure, and operational security, making them not accessible to low-skill attackers. Domain registration and SSL certificates require attacker to register spoofed domains and obtain SSL certificates, and security teams can monitor certificate transparency logs for typosquats.

How can organizations defend against adversary-in-the-middle phishing?

User and individual-level defenses

Enable phishing-resistant MFA by using FIDO2 security keys such as YubiKey and Google Titan, Windows Hello, or passkeys—not TOTP, SMS, or push notifications which can be bypassed via AiTM or social engineering. Verify domain carefully by checking browser URL bar during login and looking for subtle typos such as "0" instead of "O" or "rn" instead of "m."

Be suspicious of unexpected auth prompts because if you receive unexpected MFA challenges or authentication requests, do not approve them, and contact IT immediately. Monitor account activity by reviewing login history, active sessions, email forwarding rules, and connected apps or permissions regularly. Avoid public Wi-Fi for authentication by using home or work network or VPN when logging into sensitive accounts to reduce exposure to MITM attacks. Report phishing immediately by reporting suspicious emails and login pages to IT or security team, and do not click links from unsolicited messages.

Organization-level defenses

Enforce FIDO2/WebAuthn, Windows Hello, or hardware keys on all user accounts with no exceptions because TOTP and SMS do not protect against AiTM according to Microsoft's 2025, Canadian Cyber Centre's 2025, and NIST SP 800-63-4 guidance. Priority rollout includes email, administrative accounts, privileged access, and cloud services including Microsoft 365, Google Workspace, and Okta. Target 100% of user population within 12 months with interim goal of 80% by 6 months.

Require MFA re-challenge for sensitive actions including email rule creation, forwarding rule modification, and admin access. Implement "step-up" authentication for unusual activity including new device, geographic anomaly, and impossible travel. Block logins from non-compliant devices or outside organization IP ranges. Flag and challenge logins based on risk scoring including device, location, time, and user history according to Microsoft Entra Conditional Access, Okta Policies, and Ping Identity guidance.

Monitor authentication logs for multiple failed authentication attempts followed by success, session tokens created and used from different locations or devices, session reuse across different user agents or IP addresses, unusual email rule creation such as forwarding and delegation, and rapid account access changes including password modification, recovery email change, and MFA method change. Deploy SIEM queries to detect session token reuse, impossible travel such as authentication from geographically distant locations in seconds, and proxy-based authentication patterns. Deploy User and Entity Behavior Analytics (UEBA) to detect account anomalies according to Sekoia.io, Microsoft Security Blog, and Proofpoint in 2025.

Use advanced email filtering with domain reputation and typosquat detection, link rewriting or sandboxing to detect phishing redirects before user clicks, DMARC, SPF, and DKIM enforcement to prevent email spoofing, and user security awareness training on AiTM phishing, domain verification, and MFA prompts.

Enforce short session token lifetimes (8 hours or less for sensitive services), require re-authentication for sensitive actions such as email forwarding, user creation, and permission changes, implement absolute session timeout to force re-login after N hours regardless of activity, and monitor for session cookie theft via dark web credential monitoring including SpyCloud and DeepStrike.

Monitor certificate transparency logs for typosquatted domains such as domains registered with look-alike names, use URKL or DNS monitoring to detect lookalike domain registrations, and establish abuse reporting processes with domain registrars and hosting providers. Document AiTM response procedures including detection, credential revocation, session termination, and notification, establish rapid credential rotation protocols for compromised accounts, coordinate with email security and cloud provider support for session termination, and enable forensic logging to detect scope of compromise including which accounts accessed and what data exfiltrated according to Invictus IR and Microsoft in 2025.

Technical solutions and vendors (2025)

Phishing-resistant MFA solutions include Yubico (FIDO2 security keys), Duo Security, Microsoft Authenticator (Windows Hello), Google Account (passkeys), 1Password, and Okta Verify (with FIDO2 support). Authentication and IAM platforms include Microsoft Entra ID, Okta, Ping Identity, and Auth0. Conditional access platforms include Azure AD Conditional Access, Okta Policies, and CrowdStrike Identity Protection. Email security solutions include Proofpoint, Barracuda Networks, Mimecast, and Microsoft Defender for Office 365. SIEM and detection platforms include Splunk, Elastic Security, CrowdStrike Falcon, and Microsoft Sentinel. Domain and certificate monitoring tools include Whois history tools, Certificate Transparency logs, and Domain reputation services according to Duo, Canadian Cyber Centre, and Microsoft in 2025.