Session hijacking allows attackers to bypass MFA by stealing session tokens. Learn how AitM attacks work and how to detect them before damage occurs
An adversary-in-the-middle (AiTM) attack is a sophisticated cyberattack where a malicious actor positions themselves between a user and a legitimate website or service to steal credentials and session data. Unlike traditional phishing attempts, AiTM attacks use proxy servers to intercept real-time authentication, allowing cybercriminals to bypass multi-factor authentication (MFA) and access accounts even when users follow proper security protocols.
TL;DR: AiTM attacks represent an evolution of traditional man-in-the-middle attacks, specifically targeting authentication processes. Cybercriminals create fake login pages that act as proxies between users and legitimate services, capturing both credentials and session cookies to bypass security measures like MFA. These attacks are particularly dangerous because they can compromise accounts in real-time, even when users believe they're following best security practices.
AiTM attacks have become a significant concern for cybersecurity professionals because they exploit the trust users place in familiar login processes. When someone receives what appears to be a legitimate email from Microsoft, Google, or their bank asking them to log in, they might not realize they're stepping into an elaborate trap designed to steal their digital identity.
How AiTM attacks work
Understanding how these attacks unfold helps illustrate why they're so effective against unsuspecting users. The process typically begins with a carefully crafted phishing email that appears to come from a trusted source.
The initial deception
Cybercriminals start by sending phishing emails that closely mimic legitimate communications from popular services like Office 365, Gmail, or banking platforms. These emails often create urgency by claiming account suspension, security breaches, or required updates. The key difference from traditional phishing is that the malicious link doesn't lead to a static fake website—it connects to a dynamic proxy server.
Setting up the proxy trap
The attacker deploys a reverse proxy server that sits between the victim and the legitimate website. Tools like Evilginx and Modlishka have made this technique more accessible for cybercriminals to implement, allowing them to create convincing replicas of login pages that function in real-time. When a user clicks the malicious link, they're directed to this proxy server, which immediately begins fetching content from the real website.
Real-time data interception
As the user enters their credentials on what appears to be the legitimate login page, the proxy server captures this information and simultaneously forwards it to the real website. This creates a seamless experience for the victim—they successfully log into their account and might even complete their intended task. However, the attacker now possesses both their username and password.
Session cookie theft
The most dangerous aspect of AiTM attacks occurs after successful authentication. When the legitimate website returns a session cookie to confirm the user's identity, the proxy server intercepts this cookie and provides a copy to the attacker. Session cookies act like temporary digital keys, allowing continued access to an account without requiring repeated authentication. Even if the user has MFA enabled, the stolen session cookie bypasses this protection entirely.
Maintaining persistent access
With a valid session cookie, attackers can access the victim's account from their own devices and locations. They often work quickly to change recovery email addresses, create new authentication methods, or extract valuable data before the legitimate user notices any suspicious activity.
Evolution from traditional phishing
AiTM attacks represent a significant advancement in cybercriminal tactics. Traditional phishing relied on static fake websites that would simply collect credentials and display error messages. Users might realize they'd been tricked when they couldn't access their accounts, but by then, it was too late.
At the same time, as more users implemented MFA on their accounts, that stopped less sophisticated phishing attacks dead in their tracks. Attackers might have collected the account credentials, but they would be prompted for a second form of authentication.
More modern attacks like AiTM bypass some forms of MFA while also flying under the radar. Users successfully log in, complete their tasks, and remain unaware that their credentials have been compromised. This seamless experience makes detection much more difficult and gives attackers more time to exploit stolen access.
According to Microsoft's threat intelligence reports, AiTM attacks have targeted over 10,000 organizations worldwide, with financial services and healthcare sectors being particularly vulnerable due to the sensitive nature of their data.
Common AiTM attack scenarios
Corporate email compromise
Many AiTM attacks begin with targeting employees' Office 365 or Google Workspace accounts. Once attackers gain access to a corporate email account, they can monitor internal communications, identify valuable targets, and launch business email compromise (BEC) scams. They might impersonate executives to request wire transfers or manipulate vendor payment information.
Financial account takeovers
Banking and financial services face significant risks from AiTM attacks because session cookies can provide immediate access to account balances, transaction histories, and money transfer capabilities. Attackers often work quickly to modify contact information and initiate unauthorized transfers before account holders notice suspicious activity.
Healthcare data breaches
Healthcare organizations store vast amounts of sensitive personal information, making them attractive targets for AiTM attacks. Stolen session cookies can provide access to patient records, insurance information, and other protected health data that can be sold on dark web marketplaces.
Recognizing AiTM attack attempts
While these attacks are sophisticated, several warning signs can help users identify potential threats:
Email Red Flags:
Urgent language demanding immediate action
Slight variations in sender domains (like "microsft" instead of "microsoft")
Generic greetings instead of personalized messages
Requests to click links rather than directing users to type URLs directly
Website Indicators:
URLs that don't match the official domain exactly
Missing or invalid SSL certificates
Unusual login processes or additional steps not normally required
Pages that load slowly or display formatting inconsistencies
Post-Login Warnings:
Unexpected password change confirmations
New device login notifications from unfamiliar locations
Missing emails or calendar entries
Unusual account activity in security logs
Defending against AiTM attacks
Protecting against AiTM attacks requires a multi-layered approach that combines technical controls with user education and awareness.
Implementing phishing-resistant authentication
Traditional MFA methods like SMS codes or authentication apps can be bypassed by AiTM attacks. Organizations should consider implementing phishing-resistant authentication methods such as:
Hardware security keys that use WebAuthn protocols
Certificate-based authentication tied to specific devices
Biometric authentication that can't be intercepted remotely
Conditional access policies that evaluate device trust and location consistency
User education and awareness training
Regular employee security awareness training helps employees recognize and report potential AiTM attacks. Effective programs should include:
Simulated phishing exercises that mirror current AiTM techniques
Clear reporting procedures for suspicious emails or websites
Regular updates about emerging threats and attack methods
Recognition programs for employees who successfully identify and report threats
Technical security controls
Organizations can implement several technical measures to detect and prevent AiTM attacks:
Network monitoring: Deploy systems that analyze traffic patterns and identify connections to known malicious proxy servers. Unusual authentication patterns from impossible geographic locations can indicate compromised accounts.
Session management: Implement shorter session cookie lifespans and require periodic re-authentication for sensitive operations. Monitor for session cookies being used from multiple locations simultaneously.
DNS security: Use secure DNS services that can block access to newly registered domains and known malicious infrastructure commonly used in AiTM attacks.
Email security: Deploy advanced email filtering that can detect and quarantine emails containing links to potential AiTM sites, even when they use legitimate URL shorteners or redirect services.
Staying one step ahead
AiTM attacks represent a sobering reality in our interconnected digital world—even security-conscious users following best practices can fall victim to these sophisticated schemes. The key to protection lies not in perfection, but in building multiple layers of defense and maintaining constant vigilance.
Organizations must move beyond traditional security measures and embrace phishing-resistant authentication methods while investing in comprehensive user education. Individual users should remain skeptical of urgent login requests, verify website URLs carefully, and report suspicious activities immediately.
As cybercriminals continue evolving their tactics, the cybersecurity community must adapt with equal innovation and determination. Understanding AiTM attacks is the first step in building stronger defenses against these increasingly prevalent threats.
Frequently Asked Questions
AiTM attacks use real-time proxy servers to intercept authentication, allowing users to successfully log in while stealing their credentials and session data. Traditional phishing uses static fake websites that simply collect information and display error messages.
Traditional MFA methods like SMS codes or authenticator apps cannot fully protect against AiTM attacks because they steal session cookies after successful authentication. However, phishing-resistant authentication methods like hardware security keys can provide better protection.
Attackers often work within minutes or hours of obtaining session cookies, as these tokens typically have limited lifespans. They prioritize changing account recovery information and extracting valuable data before detection.
Immediately change your password, revoke all active sessions, enable additional security measures, and notify your IT security team. Monitor your accounts closely for unauthorized changes or activities.
Yes, financial services, healthcare organizations, and technology companies face higher risks due to the sensitive nature of their data and the potential financial gains for attackers.
Related Resources
Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
