For years, multi-factor authentication was marketed as the single most effective defense against credential theft. Enable MFA, the conventional wisdom went, and phishing became a manageable problem. That assumption no longer holds. The defining phishing technique of 2025 and 2026 is not a brute-force attack on MFA or a clever social engineering prompt designed to trick users into approving a push notification. It is a proxy-based attack that lets users authenticate successfully and then steals the result. It is called Adversary-in-the-Middle phishing, and it has quietly become the dominant method attackers use to compromise Microsoft 365, Google Workspace, and Okta accounts across industries.

The Illusion of MFA-Based Security

Most organizations implemented MFA believing it would render stolen passwords useless. For a time, this was largely true. But attacker innovation has outpaced that assumption. According to CrowdStrike’s 2026 Global Threat Report, 82% of detections in 2025 were malware-free, meaning adversaries are increasingly relying on identity abuse rather than malicious code to breach environments. PwC’s 2026 Annual Threat Dynamics captures the shift bluntly: adversaries are “logging in rather than breaking in.”

AiTM phishing is the purest expression of that trend. It does not attempt to break MFA. It lets the victim complete MFA successfully, then steals the authentication proof that MFA produces. The result is account takeover without any alarm bells, without any password reset requirements, and without any malware footprint for endpoint detection tools to flag.

What Is an Adversary-in-the-Middle (AiTM) Attack?

An Adversary-in-the-Middle attack is a reverse-proxy phishing technique. Instead of building a static fake login page that collects credentials, the attacker stands up a proxy server that sits between the victim and the real service they are trying to reach—typically Microsoft 365, Google Workspace, or a similar cloud identity provider.

When a victim clicks a phishing link, they do not land on a crude counterfeit page. They land on the attacker’s proxy, which transparently relays every request to and from the legitimate service in real time. The victim sees the real Microsoft login screen, with valid TLS certificates, working error messages, and authentic tenant branding—because they are actually communicating with Microsoft, just with the attacker reading every packet in transit.

The victim enters their password. They complete MFA, whether by push notification, time-based one-time password, or SMS. The legitimate service validates the authentication and issues a session cookie. At that moment, the proxy captures the cookie and exfiltrates it to the attacker. The attacker imports the cookie into their own browser and is instantly logged in as the victim—no password required, no MFA challenge, no login alert. The critical insight is that AiTM does not bypass MFA. It waits for MFA to succeed and then steals the proof of authentication after the fact.

Inside the Attack Chain: How AiTM Phishing Actually Works

A typical AiTM campaign unfolds across five distinct stages.

The first stage is delivery. Victims receive a phishing email, LinkedIn message, or SMS designed to look like a routine sign-in prompt, shared document notification, or payment remittance. Microsoft’s identity threat intelligence team has tracked Evilginx-based AiTM infrastructure across multiple threat actors, including the prolific cybercriminal operator Storm-0485 and the Russian state-affiliated actor Star Blizzard. Delivery methods have shifted throughout 2024 and 2025, moving from QR code documents to HTML attachments that execute JavaScript locally, and more recently to SVG files that render phishing content directly in the browser.

The second stage is the proxy relay. When the victim clicks the lure, they land on a reverse-proxy server running a kit such as Evilginx, Tycoon 2FA, EvilProxy, or Sneaky 2FA. The proxy silently forwards the victim’s browser traffic to the real Microsoft or Google login endpoint.

The third stage is credential capture. The victim enters their username and password. The proxy relays both to the legitimate service and simultaneously records a copy for the attacker.

The fourth stage is MFA relay. The legitimate service prompts for a second factor. The victim approves the push, enters the TOTP code, or provides the SMS code. The proxy forwards the response to the real service, which accepts it and issues a session cookie.

The fifth stage is cookie theft and replay. The session cookie—the token that proves the authentication succeeded—is exfiltrated to the attacker. The attacker loads the cookie into their own browser session and is instantly authenticated as the victim, without triggering any further MFA prompts or login alerts.

The Phishing-as-a-Service Ecosystem Fueling the Surge

What transformed AiTM from a boutique technique into a mass phenomenon is the commoditization of the attack through Phishing-as-a-Service (PhaaS) platforms. Threat intelligence firm Sekoia.io identified eleven major AiTM phishing kits in active use during early 2025, with Tycoon 2FA earning the highest threat score of 4.8 out of 5 based on infrastructure monitoring and detection telemetry.

The PhaaS business model operates on a subscription basis, with access to fully featured kits ranging from $100 to $1,000 per month. Subscribers receive a complete attack framework: email templates, anti-bot protection that prevents security researchers from studying the infrastructure, campaign management dashboards, and Telegram integrations for exfiltrating stolen credentials and session cookies. The technical bar for running an MFA-bypassing campaign against Microsoft 365 is now lower than the bar for running a traditional credential-phishing campaign was five years ago.

Named kits dominating the current landscape include Tycoon 2FA, EvilProxy, Evilginx, Sneaky 2FA, NakedPages, Mamba 2FA, and Salty 2FA. Each targets Microsoft 365 and Google Workspace as primary endpoints, and each has been linked to active business email compromise and ransomware operations downstream.

What Attackers Do Once Inside a Compromised Account

Session hijacking is not the goal. It is the entry point. Once an attacker holds a valid session cookie for a user’s Microsoft 365 account, they have approximately the same access that user has—email, documents, calendar, connected SaaS applications, and any internal resources protected by single sign-on.

The most common post-compromise activities observed in 2025 include launching business email compromise campaigns from the victim’s real account, which bypasses domain authentication checks that would catch a spoofed external sender. Attackers also create malicious inbox rules that silently forward or delete incoming mail, hiding their activity from the victim while intercepting vendor communications, payroll messages, or wire transfer approvals. Data exfiltration through OneDrive or SharePoint is common, as is lateral movement to connected SaaS applications via OAuth token abuse.

This is why AiTM sits at the center of a broader email-based identity attack chain that increasingly drives operational downtime across industries. Related techniques such as credential stuffing at scale often compound the damage when reused credentials expose additional enterprise applications after an initial AiTM compromise.

Why Traditional Email Filters Miss AiTM Campaigns

Legacy secure email gateways were built to detect known-bad domains, malicious attachments, and suspicious URL patterns. AiTM lures evade most of these defenses by design.

The phishing domains used in AiTM campaigns are often newly registered and rotate frequently, defeating static reputation checks. The landing pages are reverse proxies to legitimate services, so URL scanners that fetch and analyze page content often see genuine Microsoft login HTML and return a clean verdict. TLS certificates are valid, issued by trusted certificate authorities for the attacker’s proxy domain. The JavaScript rendering of phishing pages via HTML and SVG attachments means the malicious content may not even be visible to a gateway scanner that only inspects the static file.

This is why Microsoft 365’s built-in inbox defenses often fall short against modern AiTM campaigns, and why layered email security remains critical for any organization running cloud-based mail.

Detection Signals Security Teams Should Monitor

Because AiTM attacks are malware-free and authenticate legitimately, detection has to shift from endpoint signals to identity and session signals. Security teams should monitor for impossible-travel sign-ins, where the same user account authenticates from geographically distant locations within impossibly short time windows. New-device sign-ins from atypical autonomous system numbers are another strong indicator.

Unusual inbox rule creation—particularly rules that auto-forward external mail, delete messages from specific senders, or move financial keywords to obscure folders—is one of the most reliable post-compromise signals. Session token reuse from a new IP address or user agent following a legitimate MFA event is a direct indicator of AiTM success. OAuth consent grants to newly registered third-party applications, especially those requesting mail read, mail send, or calendar permissions, warrant immediate investigation.

The Defense Stack That Actually Works

Defending against AiTM phishing requires layered controls, because no single technology stops the attack in isolation. The most effective single control is phishing-resistant MFA based on FIDO2 and WebAuthn standards, including hardware security keys and passkeys. These methods cryptographically bind authentication to the legitimate domain, making it technically impossible for a reverse-proxy phishing site to replay the authentication.

Conditional access policies that evaluate session risk based on device compliance, geographic location, and behavioral baselines add a critical second layer. Session token binding, where available, ties the session cookie to the specific device that completed authentication, preventing an exfiltrated cookie from being used on an attacker’s machine.

At the email perimeter, advanced threat protection that includes URL detonation, attachment sandboxing, and real-time phishing kit signature detection remains essential for catching AiTM lures before they reach users. Impersonation defense layers help detect the internal business email compromise campaigns that typically follow account compromise, and account takeover protection monitors for the anomalous behavior that indicates a session has been hijacked.

User training must also evolve. Traditional phishing awareness programs focused on spotting misspelled domains and unusual sender addresses. AiTM lures often pass those checks. Modern phishing simulation training needs to cover reverse-proxy scenarios, unusual authentication prompts, and the importance of reporting suspicious sign-in activity regardless of whether the login appeared to succeed.

AiTM phishing also reinforces the importance of understanding how modern MFA bypass techniques work in general, as AiTM and MFA fatigue attacks together represent the two dominant pathways attackers use to defeat multi-factor authentication in enterprise environments.

Key Takeaways for Business Leaders

The AiTM attack surface will continue to expand as long as session-based authentication remains the default for cloud services. Organizations that treat MFA as a sufficient defense are operating under an outdated threat model. Phishing-resistant authentication, layered email defenses, session monitoring, and updated user training are the minimum controls required to stay ahead of attackers who have industrialized the bypass of traditional MFA.

The question is no longer whether AiTM campaigns will reach an organization’s users. Thousands of organizations are targeted every month by Tycoon 2FA and its peers. The question is whether detection, response, and defense-in-depth controls are positioned to stop session hijacking before it becomes a full compromise.

By Thomas McDonald