Adversary-in-the-Middle (AitM) attacks intercept authentication between users and services to hijack sessions and bypass multi-factor authentication.
An adversary-in-the-middle attack is a phishing technique that uses a reverse proxy to intercept credentials and session tokens in real time. Attackers secretly position themselves between a user and a legitimate website to intercept credentials and session data in real time.
How AitM Attacks Work
Modern AitM attacks primarily aim to capture the session cookie, not just the password. A password alone often fails against MFA, but a valid session cookie works as a post-authentication token. The attacker inherits the user's verified status by stealing this token, allowing them to access resources and maintain persistence without triggering new MFA challenges or needing the victim's device again.
A typical AitM attack proceeds as follows: The user clicks on an email link and a fraudulent, spoofed website opens to a login page. In the background, the attacker has a proxy server deployed between the user and the website. This proxy server collects the data being sent between the user and the website. The user will be asked to authenticate and enters their username and password. The phishing site then proxies the request to the real website, which returns an MFA screen. The MFA screen is displayed on the phishing site, and the user enters information to complete the MFA request. The MFA information is then proxied to the real site, and the real website returns a session cookie. The attacker captures this session cookie for use in account takeover.
MFA Bypass
AitM phishing defeats MFA by stealing session cookies after authentication, rendering one-time passwords (OTPs), push notifications, and app-based authenticators ineffective. This represents a significant evolution in phishing techniques, as organizations that have invested in MFA may believe they are fully protected from credential phishing.
Defense
Defending against AitM attacks requires phishing-resistant authentication methods such as FIDO2/WebAuthn hardware security keys, continuous session monitoring for anomalous access patterns, and advanced email security that detects and blocks AitM phishing pages before users can interact with them. Pangratis identifies AitM phishing campaigns through behavioral analysis, protecting organizations even against attacks designed to bypass traditional MFA.