Menu
man in the middle attacks

How Adversary-in-the-Middle (AiTM) Phishing Attacks Bypass MFA and Steal Cloud Account

You click a link. You sign in. You approve the multi-factor authentication (MFA) prompt. Then you continue with your day.

Everything seems normal.

What you do not see is that an attacker may have gained access to your account at the exact same moment.

This is the reality of Adversary-in-the-Middle (AiTM) phishing attacks. These attacks are becoming more common because they target something many businesses assume is safe: the authenticated session that exists after a successful login.

For years, organisations have invested heavily in MFA. That investment remains important. MFA is still one of the most effective controls available for reducing account compromise.

However, AiTM attacks exploit a gap that MFA was never designed to address.

Instead of stealing passwords and trying to log in later, attackers capture the trusted session after authentication has already been completed.

Understanding how these attacks work is critical for any business that relies on Microsoft 365, Google Workspace, cloud applications, or remote access platforms.

Why Modern Phishing Has Changed

Traditional phishing attacks focused on collecting usernames and passwords.

An attacker would trick someone into entering their credentials into a fake website. The criminal would then attempt to use those credentials later.

MFA made that approach much harder.

Even if attackers obtained a password, they often could not pass the second authentication step.

As a result, attackers adapted.

Today, many phishing campaigns target something far more valuable than a password. They target the authenticated session itself.

Instead of stealing login credentials for future use, attackers intercept the authentication process while it is happening.

They wait until the user successfully logs in, completes MFA, and receives a trusted session from the application.

Then they steal that session.

This approach gives attackers immediate access without needing to bypass MFA.

Security researchers have documented a significant increase in attacks focused on session and token theft. At the same time, phishing-as-a-service platforms have made these attacks easier to launch.

Today, attackers can purchase ready-made toolkits that simplify the process of targeting Microsoft 365, Google Workspace, and other cloud platforms.

This means organisations are facing a growing number of sophisticated phishing campaigns, even from relatively low-skilled attackers.

What Is an Adversary-in-the-Middle Attack?

An Adversary-in-the-Middle attack places the attacker between the user and the legitimate authentication service.

The attacker acts as a hidden intermediary.

Instead of connecting directly to the real login page, the user unknowingly connects through the attacker’s infrastructure.

From there, everything happens in real time.

The attacker captures information flowing between both sides while making the interaction appear completely legitimate.

Unlike traditional phishing pages, AiTM sites are not simply copies of login screens.

They are live proxy systems.

Every action performed by the user is forwarded to the legitimate service.

Every response from the legitimate service is sent back through the attacker.

This allows the attacker to see and capture the entire authentication process.

The Fake Login Page That Feels Real

One reason AiTM attacks are so effective is that they often look identical to legitimate services.

Users may see:

  • Correct branding and logos
  • Legitimate login workflows
  • Working redirects
  • Real MFA prompts
  • Normal account access after login

Nothing appears broken.

Nothing appears suspicious.

The login process behaves exactly as expected.

The only visible clue is often a slightly altered web address.

That difference can be easy to miss, especially on mobile devices or during busy workdays.

When employees are under pressure, URL verification is not always top of mind.

Attackers understand this and design their campaigns accordingly.

Why MFA Does Not Stop AiTM Attacks

This is where many security assumptions break down.

MFA protects the authentication process.

It confirms that the user is who they claim to be.

However, once authentication succeeds, the application creates a trusted session.

To avoid forcing users to log in repeatedly, applications issue a session cookie or session token.

This token tells the application that the user has already been verified.

The application no longer needs to ask for a password or MFA code because it trusts the session.

The problem is simple.

Whoever possesses that session token can often access the account.

The application trusts the token itself.

AiTM attacks exploit this trust relationship.

Attackers do not need to break MFA.

They simply wait for the session token to be created and then steal it.

Microsoft has reported a significant increase in AiTM attacks as criminals increasingly target accounts already protected by MFA.

This shift demonstrates that strong authentication alone is no longer enough.

Understanding Session Cookies

A session cookie acts like a digital access pass.

Once issued, it proves that authentication has already taken place.

This creates a smoother experience for users because they do not need to constantly re-enter credentials.

Unfortunately, it also creates an opportunity for attackers.

Session tokens function as bearer credentials.

In simple terms, possession often equals access.

If an attacker steals the token, they can import it into their own browser and continue the session.

This process is called session replay.

The attacker does not perform a new login.

They simply resume the existing authenticated session.

From the application’s perspective, the attacker appears to be the legitimate user.

What Happens After an Attacker Steals a Session?

One of the most dangerous aspects of AiTM attacks is how quietly they unfold.

The attacker is already inside a trusted session.

This means many traditional warning signs never appear.

There may be:

  • No failed login attempts
  • No password guessing activity
  • No MFA bypass alerts
  • No obvious authentication failures

The attacker appears to be a legitimate user.

As a result, compromise can continue undetected for extended periods.

Security researchers have observed several common activities after session hijacking occurs.

Creating Hidden Inbox Rules

Attackers often create email forwarding rules that secretly send messages to external accounts.

This allows them to monitor communications without raising suspicion.

Registering Additional MFA Methods

Some attackers add their own authentication methods to maintain long-term access.

This can make account recovery more difficult later.

Monitoring Financial Conversations

Business email compromise frequently begins with mailbox monitoring.

Attackers watch payment discussions, invoice exchanges, and executive communications.

They wait for opportunities to redirect funds or impersonate trusted individuals.

Launching Internal Phishing Campaigns

Because the compromised account is trusted, attackers may use it to target colleagues.

These internal messages often achieve higher success rates than external phishing attempts.

By the time the attack is discovered, financial fraud, data exposure, or broader compromise may already be underway.

How Businesses Can Reduce AiTM Risk

MFA remains essential.

Every organisation should continue implementing and enforcing strong authentication practices.

However, businesses also need controls that protect what happens after login.

Adopt Phishing-Resistant MFA

Not all MFA methods provide the same level of protection.

Technologies such as FIDO2 security keys and passkeys are considered phishing-resistant.

These methods bind authentication to both the user and the legitimate website.

If the website is not genuine, authentication fails.

This makes it significantly harder for proxy-based attacks to succeed.

Research from the Canadian Centre for Cyber Security found that phishing-resistant MFA consistently blocked session theft scenarios that bypassed traditional MFA methods.

Strengthen Conditional Access Policies

Conditional access adds additional decision-making beyond simple authentication.

These controls evaluate factors such as:

  • Device compliance
  • User location
  • Network information
  • Session behaviour
  • Risk indicators

If unusual activity appears, access can be restricted or challenged.

This helps reduce the usefulness of stolen sessions.

Monitor Post-Login Activity

Many organisations focus heavily on login events.

AiTM attacks highlight why post-login monitoring is equally important.

Security teams should watch for:

  • New MFA registrations
  • Unexpected inbox rules
  • Unusual geographic access
  • Large data downloads
  • Abnormal account activity

These indicators often reveal compromise faster than authentication logs alone.

Improve User Awareness

User training still matters.

Employees should understand that a successful MFA prompt does not automatically mean a page is safe.

Staff should be encouraged to:

  • Check URLs carefully
  • Pause when something feels unusual
  • Report suspicious login pages
  • Question unexpected authentication requests

Even brief awareness sessions can reduce exposure significantly.

Identity Security Goes Beyond the Login Screen

Many businesses view MFA as the final step in protecting accounts.

In reality, it is the starting point.

AiTM attacks demonstrate that attackers increasingly target the trust created after authentication succeeds.

They understand how session management works.

They understand how cloud identity systems operate.

And they know that many organisations focus more on logins than active sessions.

Reducing risk requires a layered approach.

Businesses need strong authentication, phishing-resistant technologies, conditional access controls, user awareness, and ongoing monitoring.

Together, these controls make session theft significantly harder and help detect compromise before it turns into financial loss, data exposure, or broader network intrusion.

Stop Protecting Only the Login Process

MFA remains one of the most important security controls available today.

But it was never designed to protect every stage of the identity lifecycle.

AiTM attacks exploit what happens after authentication succeeds.

That is why organisations must look beyond the login screen and focus on the trust relationships created during active sessions.

The businesses best positioned to reduce risk are the ones that understand how authentication, sessions, and identity controls work together.

They build protection around every layer instead of relying on a single security measure.

If you would like to review your identity security controls and identify potential gaps before attackers do, contact Caldera Cybersecurity for a consultation.

Related articles

You may also be interested in

Cookie policy
We use our own and third party cookies to allow us to understand how the site is used and to support our marketing campaigns.
Gimme those cookies!

Headline

Never Miss A Story

Get our Weekly recap with the latest news, articles and resources.

Headline

Never Miss A Story

Get our Weekly recap with the latest news, articles and resources.
Cookie policy
We use our own and third party cookies to allow us to understand how the site is used and to support our marketing campaigns.
Gimme those cookies!
  • +40-200-4286-09
  • office@publibox.com
  • 83 Barbara St, Newark, NJ 07105

Hot daily news right into your inbox.