AiTM

What an AiTM attack is

AiTM (Adversary-in-the-Middle) is the modern evolution of phishing. Instead of merely cloning a login page to steal a password, the attacker deploys a transparent proxy (often based on the open-source Evilginx framework) that:

1. Presents the victim with a login page actually wired to the real service.
2. Captures the username / password pair in real time and triggers the legitimate MFA on the victim’s phone.
3. Once the victim successfully authenticates, the proxy intercepts the session cookie issued by the service.
4. The attacker immediately reuses that cookie from their own machine — they are now authenticated, MFA validated included, with no specific alert.

Why it is dangerous

SMS MFA, TOTP MFA (Google Authenticator, Microsoft Authenticator codes), and even push-notification MFA with simple “Approve”, are all bypassable through AiTM. Only cryptographic MFA bound to the domain (FIDO2 / WebAuthn / hardware security keys) resists — because they verify the identity of the server, not just the user.

Indicators of compromise

• Successful login from an unexpected country immediately after a legitimate session.
• Creation of invisible mailbox rules (move to RSS Feeds, archive…).
• OAuth application tokens issued without recent user interaction.
• MFA method disabled or a new factor added.

How to protect against it

• Mandatory phishing-resistant MFA for privileged accounts. See MFA.
• Conditional Access with device posture, geolocation, user risk.
• Token Protection when available (Microsoft, Okta) to bind the cookie to the device.
• EDR/XDR monitoring of sessions and out-of-UI mailbox rule creation — see Hexceos Sentinel.

AiTM at Hexceos

See our forensic BEC case study detailing a real AiTM attack and its remediation.