Home 9 Business 9 Why Multi Factor Authentication isn’t enough!

Why Multi Factor Authentication isn’t enough!

Adversary‑in‑the‑Middle Attacks: Why MFA Alone Isn’t Enough

You click a link, sign in, approve the MFA prompt, and get on with your day.
Completely unaware that someone else just logged into your account at the same moment.

That scenario surprises many organisations, especially those relying on multi‑factor
authentication to protect cloud accounts. But this is exactly how
Adversary‑in‑the‑Middle (AiTM) attacks work.

Key point:
AiTM attacks don’t steal passwords. They silently hijack a trusted login session in real time.

Phishing Has Moved Beyond Passwords

Phishing is still the most common starting point for account compromise, but the goal has changed.
Traditional phishing focused on usernames and passwords. Modern phishing is after something far more
useful: the authenticated session itself.

Instead of trying to reuse stolen credentials, attackers wait until you successfully sign in and
approve MFA. They then steal the session token that proves authentication has already happened.

This shift has accelerated thanks to phishing‑as‑a‑service platforms, which provide ready‑made tools
that target Microsoft 365 and Google Workspace with very little setup.

How AiTM Attacks Work

The login page that looks real

An AiTM phishing page is not a basic copy of a sign‑in screen. It is a live reverse proxy.

The attacker sits between the user and the real service. Every click, redirect, and response flows
through the attacker’s system in real time. From the user’s point of view, everything looks normal.

  • Correct branding
  • Working links
  • A genuine MFA prompt
  • Normal redirects after sign‑in

Often the only warning sign is a slightly altered web address, which is easy to miss on a mobile
device or when someone is under pressure.

Why MFA doesn’t stop it

MFA protects the moment of authentication, not what comes after it.

Once you complete MFA, the service issues a session cookie. That cookie tells the system you are
already trusted. From that point on, no password or MFA prompt is required.

Important:
Whoever holds the session cookie holds the access.

AiTM attacks simply wait for that cookie to be issued, then steal it.

What a session cookie really means

Session tokens act as bearer credentials. If an attacker has the token, the system assumes they are you.

The attacker imports the stolen cookie into their own browser and immediately resumes the session.
There is no login attempt and no MFA challenge. They simply continue where you left off.

What Happens After a Session Is Stolen

The aftermath of an AiTM attack is usually quiet. That’s what makes it dangerous.

Because the attacker is inside a trusted session, there are no failed logins or MFA alerts.
Instead, attackers often:

  • Create hidden inbox rules to monitor or redirect emails
  • Add their own MFA methods to keep access
  • Watch conversations involving payments or contracts
  • Use the compromised account to phish colleagues

These attacks are often discovered late, after financial loss or data exposure has already begun.

Reducing Your Exposure

MFA is still essential. But reducing AiTM risk means protecting more than just the login screen.

Use phishing‑resistant MFA

Security keys and passkeys tie authentication to the real website and the specific device being used.
If the page isn’t genuine, the sign‑in simply fails.

Strengthen access rules and monitoring

AiTM activity usually shows up after login. That means watching for things like new MFA methods,
inbox rules created out of hours, or access from unfamiliar locations.

Help your people spot the warning signs

A working MFA prompt doesn’t always mean a page is safe. When your team understands that,
they are more likely to pause, check the address, and report concerns early.

Stop Protecting Just the Login Screen

MFA is a baseline, not the finish line.

At Bespoke IT Solutions, we help organisations understand how identity,
sessions, and trust really work, and put the right protections in place without unnecessary complexity.

Want to review your identity security?

Speak to our team to identify the gaps that matter most before an incident does it for you.

Frequently Asked Questions

What is an Adversary‑in‑the‑Middle attack?

It’s a phishing technique where attackers intercept login sessions in real time and steal
session cookies after authentication completes.

Can AiTM attacks bypass MFA?

Yes. They don’t break MFA. They wait for MFA to succeed, then steal the authenticated session.

How can organisations reduce the risk?

Using phishing‑resistant MFA, tightening access controls, monitoring session behaviour,
and training your people all help reduce exposure.

 

Recent Posts

Plan for offboarding from day one.

Plan for offboarding from day one.

Offboarding problems don’t start when someone leaves. They start on day one   When someone leaves your business, things can feel rushed and messy. You’re chasing logins, tracking down devices, and trying to work out what they had access to. However, most of these...

Managing the cloud sprawl.

Managing the cloud sprawl.

Cloud Sprawl Management Take control of your cloud, reduce stress, and let your business grow without the chaos. Cloud sprawl management is now one of the biggest challenges facing growing businesses. While cloud systems help you move faster, they can also create...

FortiBleed – Cyber Attack News

FortiBleed – Cyber Attack News

FortiBleed: Why This Cyber Attack Is Different And What You Need To Do Now The problem There’s a new cyber threat making headlines and it’s not what most people expect. FortiBleed is a global campaign targeting Fortinet firewalls and VPN systems. These are the tools...

UK’s Tech Talent Crunch.

UK’s Tech Talent Crunch.

UK Tech Talent Shortage Solutions Why hiring is harder than ever and what you can do about it If you’re struggling to hire IT staff, you’re not alone. Many businesses across the UK are facing the same challenge. UK tech talent shortage solutions are now essential for...

Outsourcing Is Changing – And It’s Becoming a Growth Strategy

Outsourcing Is Changing – And It’s Becoming a Growth Strategy

Strategic IT Outsourcing UK: A Smarter Way to Grow The problem: many UK businesses are under pressure. Costs are rising, skilled IT staff are hard to find, and keeping systems secure is getting harder. The answer: strategic IT outsourcing UK gives you access to expert...

Messaging app scams are rising.

Messaging app scams are rising.

Messaging app scams are rising. Here’s what businesses need to know. Messaging app scams are becoming a growing risk for businesses of all sizes. Tools like WhatsApp, Microsoft Teams, Signal, and SMS are used every day to keep work moving, but criminals are now using...

Why Passwords Are Still Letting Businesses Down

Why Passwords Are Still Letting Businesses Down

Why Passwords Are Still Letting Businesses Down Most businesses still rely on passwords to protect their systems. However, that approach no longer fits the way people work. Some passwords are strong. Many aren’t. Worse still, people reuse most of them somewhere else....