Adversary‑in‑the‑Middle Attacks: Why MFA Alone Isn’t Enough
You click a link, sign in, approve the MFA prompt, and get on with your day.
Completely unaware that someone else just logged into your account at the same moment.
That scenario surprises many organisations, especially those relying on multi‑factor
authentication to protect cloud accounts. But this is exactly how
Adversary‑in‑the‑Middle (AiTM) attacks work.
AiTM attacks don’t steal passwords. They silently hijack a trusted login session in real time.
Phishing Has Moved Beyond Passwords
Phishing is still the most common starting point for account compromise, but the goal has changed.
Traditional phishing focused on usernames and passwords. Modern phishing is after something far more
useful: the authenticated session itself.
Instead of trying to reuse stolen credentials, attackers wait until you successfully sign in and
approve MFA. They then steal the session token that proves authentication has already happened.
This shift has accelerated thanks to phishing‑as‑a‑service platforms, which provide ready‑made tools
that target Microsoft 365 and Google Workspace with very little setup.
How AiTM Attacks Work
The login page that looks real
An AiTM phishing page is not a basic copy of a sign‑in screen. It is a live reverse proxy.
The attacker sits between the user and the real service. Every click, redirect, and response flows
through the attacker’s system in real time. From the user’s point of view, everything looks normal.
- Correct branding
- Working links
- A genuine MFA prompt
- Normal redirects after sign‑in
Often the only warning sign is a slightly altered web address, which is easy to miss on a mobile
device or when someone is under pressure.
Why MFA doesn’t stop it
MFA protects the moment of authentication, not what comes after it.
Once you complete MFA, the service issues a session cookie. That cookie tells the system you are
already trusted. From that point on, no password or MFA prompt is required.
Whoever holds the session cookie holds the access.
AiTM attacks simply wait for that cookie to be issued, then steal it.
What a session cookie really means
Session tokens act as bearer credentials. If an attacker has the token, the system assumes they are you.
The attacker imports the stolen cookie into their own browser and immediately resumes the session.
There is no login attempt and no MFA challenge. They simply continue where you left off.
What Happens After a Session Is Stolen
The aftermath of an AiTM attack is usually quiet. That’s what makes it dangerous.
Because the attacker is inside a trusted session, there are no failed logins or MFA alerts.
Instead, attackers often:
- Create hidden inbox rules to monitor or redirect emails
- Add their own MFA methods to keep access
- Watch conversations involving payments or contracts
- Use the compromised account to phish colleagues
These attacks are often discovered late, after financial loss or data exposure has already begun.
Reducing Your Exposure
MFA is still essential. But reducing AiTM risk means protecting more than just the login screen.
Use phishing‑resistant MFA
Security keys and passkeys tie authentication to the real website and the specific device being used.
If the page isn’t genuine, the sign‑in simply fails.
Strengthen access rules and monitoring
AiTM activity usually shows up after login. That means watching for things like new MFA methods,
inbox rules created out of hours, or access from unfamiliar locations.
Help your people spot the warning signs
A working MFA prompt doesn’t always mean a page is safe. When your team understands that,
they are more likely to pause, check the address, and report concerns early.
Stop Protecting Just the Login Screen
MFA is a baseline, not the finish line.
At Bespoke IT Solutions, we help organisations understand how identity,
sessions, and trust really work, and put the right protections in place without unnecessary complexity.
Want to review your identity security?
Speak to our team to identify the gaps that matter most before an incident does it for you.
Frequently Asked Questions
What is an Adversary‑in‑the‑Middle attack?
It’s a phishing technique where attackers intercept login sessions in real time and steal
session cookies after authentication completes.
Can AiTM attacks bypass MFA?
Yes. They don’t break MFA. They wait for MFA to succeed, then steal the authenticated session.
How can organisations reduce the risk?
Using phishing‑resistant MFA, tightening access controls, monitoring session behaviour,
and training your people all help reduce exposure.
