What is AiTM Phishing?
Phishing kits now include adversary-in-the-middle (AitM) capabilities as standard features to bypass email security.
AiTM vs. MiTM Attacks: What's the Difference?
Cybercriminals are evolving beyond traditional man-in-the-middle (MiTM) attacks. Adversary-in-the-Middle (AiTM) phishing is a new variant that intercepts cloud session tokens—bypassing multi-factor authentication (MFA) and exposing businesses to rapid account takeover.
While MiTM attacks exploit network-level vulnerabilities, AiTM attacks operate at the authentication layer—using fake login pages to capture credentials and hijack tokens.
Modern phishing kits now commonly include AiTM capabilities, making these attacks more accessible to cybercriminals and harder for security teams to detect. Obsidian Security has observed that up to 77% of phishing sites employ evasion techniques, such as turnstiles, CAPTCHAs, and IP filtering, to prevent detection.
Organizations that rely on traditional email security and MFA alone must adapt their defenses to counter this growing threat.
How AiTM Phishing Works
AiTM phishing attacks work by inserting an attacker-controlled proxy, often a fake login page, between a victim and a legitimate website. The attacker intercepts the login process through this proxy, effectively hijacking user sessions and secretly capturing sensitive information.
The attack typically follows these steps:
1. Phishing Email Delivery
- Attackers send a phishing email containing a link to a fake login page.
- The email impersonates a trusted service, such as Microsoft 365 or a corporate portal.
2. Proxy-Based Credential Theft
- The victim clicks the malicious link, which directs them to a fake login page hosted on an attacker-controlled proxy server.
- Behind the scenes, the proxy relays requests between the victim and the legitimate site, making the fake login page appear authentic.
3. Session Hijacking via Token Theft
- Once the victim enters their credentials, the proxy forwards them to the real website, allowing the login to succeed.
- The attacker captures the session cookie, which authenticates the user’s session.
4. Bypassing Multi-Factor Authentication (MFA)
- If MFA is enabled, the attacker waits for the victim to complete the verification process.
- The stolen token is then used to authenticate, allowing the attacker to bypass MFA protections—they may use the same session cookie for persistence.
5. Post-Exploitation
- With the valid session token, attackers use the hijacked account to move laterally, accessing corporate systems, stealing data, conducting financial fraud, or escalating privileges.
- They may maintain persistence by creating new authentication tokens or manipulating security settings, evading further detection.
Why Adversary-in-the-Middle Attacks Are So Dangerous
1. Bypass Traditional Security Measures
Many organizations rely on MFA to protect accounts from compromise. However, AiTM phishing defeats MFA by stealing session cookies after authentication, rendering one-time passwords (OTPs), push notifications, and app-based authenticators ineffective.
- 84% of compromised accounts observed by Obsidian Security had MFA enabled.
2. Stealthy and Hard to Detect
Since the victim interacts with the legitimate website through an attacker-controlled proxy, traditional phishing detection methods like email gateways can fail to identify malicious activity. Security logs may show a normal login from a trusted location, hiding the fact that an attacker is intercepting the session. MiTM attacks often use TLS encryption, making network traffic analysis less effective at spotting anomalies.
- 93% of phishing compromises observed by Obsidian bypassed email security.
3. Rapid Account Takeover and Data Theft
Once an attacker gains access to a session, they can:
- Move laterally across cloud applications and internal systems and download sensitive data
- Change account recovery settings, complicating the process for users to regain account control
- Generate new authentication tokens to stealthily create new and maintain persistent access
4. Phishing Kits with AiTM Are Widely Available
Adversary-in-the-middle attack capabilities are no longer limited to advanced cybercriminals. Ready-made phishing kits now integrate AiTM features, making it easier for less sophisticated attackers to execute these campaigns. Some popular AiTM phishing toolkits include Evilginx and Tycoon.
These toolkits allow attackers to automate session hijacking, making large-scale AiTM attacks more feasible.
How to Detect and Prevent AiTM Phishing Attacks
To defeat modern man-in-the-middle attacks, security teams must harden their defenses where identity compromise actually occurs: the browser. Obsidian Security offers an in-browser AiTM phishing prevention solution that stops 100% of popular kits like Evilginx and Tycoon.
Integrated in the browser, Obsidian Security deeply inspects web content using advanced visual analysis plus applied threat intelligence to instantly block malicious webpages as soon as they render—even for never-before-seen phishing kits or personal email attacks.
By seeing what the user sees, Obsidian can thwart AiTM evasion techniques that bypass Proofpoint, Abnormal, and other security solutions. Get started for free to begin detecting AiTM phishing threats.
Why You Need AiTM-Specific Defenses
Man-in-the-Middle attacks like AiTM phishing are a major evolution in cyber threats, capable of bypassing traditional MFA and leading to rapid account takeovers. With phishing kits integrating AiTM as a standard feature, organizations must adopt phishing-resistant authentication methods, AI-powered security monitoring, and user training to defend against these sophisticated attacks.
The future of phishing prevention lies in Zero-Trust principles, stronger authentication standards, and real-time behavioral threat detection. As AiTM phishing techniques continue to evolve, organizations must stay proactive in their cybersecurity approach to mitigate these growing risks.
