TL;DR: Adversary-in-the-middle (AiTM) attacks let criminals hijack a logged-in account even when multi-factor authentication is turned on. The attacker sits between you and the real login page, waits for you to sign in, then steals the session token that proves you did. The fix isn’t more MFA. It’s phishing-resistant MFA, tighter access rules, and watching for activity after login.
You click a link, sign in, approve the MFA prompt, and move on with your day. You have no idea that someone else just logged into your account at the same moment. That’s the reality of adversary-in-the-middle attacks, and they’re catching well-protected businesses off guard.
Many owners assume multi-factor authentication (MFA) closes the door on account takeover. It closes a lot of doors. But AiTM attacks walk through a different one. Instead of stealing your password to use later, they hijack the trusted session that exists after you’ve already logged in.
MFA is still essential, and setting it up correctly is one of the smartest first moves any business can make. The problem is that MFA was never built to protect what happens after you authenticate. That gap is what these attacks exploit. Phishing is how they get in, so strong email and spam protection matters, but it’s only part of the answer.
What Is an Adversary-in-the-Middle Attack?
An adversary-in-the-middle attack is a real-time phishing technique where an attacker secretly relays traffic between you and a real login page. They let you sign in normally, then steal the session token your account hands back. That token gives them full access without your password or your MFA code.
Phishing used to be about collecting usernames and passwords. That goal has changed. Today’s phishing wants the authenticated session itself, because a live session is far more useful right now than a password might be later.
Security researchers have tracked a clear shift toward session and token theft. Attackers don’t try to reuse stolen credentials, which MFA usually blocks. They wait until you finish logging in, then grab the token that proves it happened. Phishing-as-a-service kits now hand even low-skilled attackers ready-made tools that run these campaigns against Microsoft 365 and Google Workspace.
Why Doesn’t MFA Stop These Attacks?
MFA protects the moment you log in, not the trusted session that exists afterward. Once you pass MFA, the service hands your browser a session cookie that says “this person is verified.” From that point, no password or MFA prompt is required. Whoever holds the cookie holds the access.
This is where a lot of security assumptions fall apart. AiTM attacks simply wait for that cookie to be issued, then steal it. The numbers back this up. Microsoft tracked a 146% rise in AiTM attacks over a single year, as criminals shifted their focus to accounts already protected by MFA.
How AiTM Attacks Actually Work
An AiTM phishing site isn’t a simple copy of a login page. It’s a live reverse proxy. In plain terms, the attacker’s system sits in the middle and passes your traffic back and forth to the real service in real time.
Every keystroke, redirect, and server response flows through the attacker’s system. From your point of view, nothing looks wrong. The page shows the correct branding, the redirects work, and the MFA prompt does its job. Often the only clue is a slightly off URL, which is easy to miss on a phone or when you’re in a hurry.
Here’s the part that catches people. When you finish MFA, the real service issues a session cookie to confirm you’re verified. The attacker, sitting in the middle, captures it. A session token works like a bearer credential, so whoever holds it gets in.
The attacker then loads your cookie into their own browser and picks up your session. They don’t log in. They step into a session that’s already trusted and verified. That’s a session replay attack, and it’s why these campaigns work so well.
What Happens After an Attacker Steals Your Session?
The aftermath is quiet, which is exactly what makes it dangerous. The attacker is working inside a real, verified session. There are no failed logins, no unusual sign-in alerts, and nothing in standard logs to wave a red flag.
Research from Proofpoint shows what attackers tend to do once inside. They create hidden inbox rules to quietly forward mail, register their own MFA method to lock in long-term access, watch email threads for conversations about money, then use the trusted account to phish your coworkers or finance team.
These follow-up moves are a big reason AiTM attacks get caught late. By the time someone notices, financial fraud, data exposure, or wider network access has often already started.
How Can Your Business Reduce AiTM Risk?
You reduce AiTM risk by adding controls that reach past the login screen: phishing-resistant MFA, risk-based access rules, monitoring for activity after login, and training your team to spot suspicious URLs. MFA stays the baseline. These controls protect the session it can’t.
Adopt phishing-resistant MFA. Methods like FIDO2 hardware keys and passkeys tie your login to your specific device and the real website address. A proxy in the middle can’t relay them, because the process fails when the URL isn’t genuine. The Canadian Centre for Cyber Security studied more than 100 AiTM campaigns and found that phishing-resistant MFA consistently blocked session theft where standard methods, including push notifications and one-time codes, did not. Building this into your layered cybersecurity protection is one of the highest-value steps you can take.
Tighten your access policies. Risk-based access controls look at extra signals like device health, location, and session behavior, instead of trusting every login forever. Set up well, they can block strange access even when a stolen token looks valid. This is work that benefits from a dedicated security strategy rather than default settings.
Watch for activity after login. Catching AiTM compromise means looking past the login event. Keep an eye out for new MFA methods, inbox rules created at odd hours, access from unfamiliar places, and unusual data activity. Sign-in logs alone won’t surface the problem, which is why protecting active login sessions deserves its own set of controls.
Train your team on URL awareness. A working MFA prompt on a slightly wrong-looking page is still a risk. Employees who understand that are far more likely to pause, check the address, and report it before damage is done. Regular security awareness training turns your staff into an early warning system instead of a soft target.
MFA Is a Baseline, Not a Finish Line
Three things are worth remembering. AiTM attacks bypass MFA by stealing the session, not the password. The damage is quiet and often goes unnoticed for weeks. And the businesses that stay protected build controls around the whole login lifecycle, not just the sign-in box.
You don’t have to sort this out alone. As part of our managed IT services in Louisville, we help small and mid-sized businesses close these exact gaps before an attacker finds them first. To see where your identity security stands today, schedule an intro call with our team.
Frequently Asked Questions
What is an adversary-in-the-middle (AiTM) attack?
An adversary-in-the-middle attack is a phishing technique where an attacker secretly relays your traffic between you and a real login page in real time. You log in as normal, but the attacker captures the session token your account creates. That token lets them access your account without your password or MFA code.
Can AiTM attacks bypass multi-factor authentication?
Yes. MFA protects the moment you log in, but not the session that exists afterward. Once you pass MFA, the service issues a session cookie that proves you’re verified. AiTM attacks steal that cookie and reuse it, so no further password or MFA prompt is needed. This is why MFA, while essential, isn’t enough on its own.
What is phishing-resistant MFA and do we need it?
Phishing-resistant MFA uses methods like FIDO2 hardware keys and passkeys that tie your login to your device and the real website address. A fake page in the middle can’t relay them, so the attack fails. For businesses that handle sensitive data, finances, or client information, it’s one of the strongest defenses against session theft available today.
How would we even know if a session was stolen?
You usually won’t see it in standard sign-in logs, because the attacker is inside a verified session. The warning signs come after login: new MFA methods you didn’t add, inbox rules created at odd hours, mail forwarding you didn’t set up, or access from unfamiliar locations. Monitoring for these signals is key. Our cybersecurity essentials guide covers what to watch for.
Are small businesses really a target for AiTM attacks?
Yes. Phishing-as-a-service kits have made these attacks cheap and easy to run at scale, so attackers no longer focus only on large enterprises. Smaller businesses are often seen as easier targets because they tend to have fewer layered defenses. The good news is that the right controls level the field quickly.
Let’s Find Your Gaps Before an Attacker Does
You shouldn’t have to wonder whether your MFA is actually protecting your accounts or just creating a false sense of safety. If you’re ready to see where your identity security stands and what it would take to close the gaps, we’re glad to walk through it with you. Reach out to the Z-JAK team here.