April 28, 2025

What is AiTM Phishing?

Phishing kits now include adversary-in-the-middle (AitM) capabilities as standard features to  bypass email security.

‍

What Are Man-in-the-Middle (MiTM) and Adversary-in-the-Middle (AiTM) Attacks?

Cybercriminals are constantly evolving their tactics to bypass security measures. Man-in-the-middle (MiTM) and Adversary-in-the-Middle (AiTM) phishing attacks have become two of their most effective tools—capable of hijacking sessions and stealing tokens in real time. MiTM attacks tend to focus on network intrusion, but new AiTM tactics have now sprouted, mostly using social engineering or phishing tactics.

Unlike traditional phishing that tricks users into revealing credentials, AiTM attacks intercept the authentication process between users and legitimate applications. By capturing session cookies or authentication tokens—such as JSON Web Tokens (JWTs)—attackers can bypass even multi-factor authentication (MFA) and gain full access to cloud accounts. This opens the door to account takeover, lateral movement, and data theft.

Modern phishing kits now commonly include AiTM capabilities, making these attacks more accessible to cybercriminals and harder for security teams to detect. Obsidian Security has observed that up to 77% of phishing sites employ evasion techniques, such as turnstiles, CAPTCHAs, and IP filtering, to prevent detection.

Organizations that rely on traditional email security and MFA alone must adapt their defenses to counter this growing threat.

‍

How AiTM Phishing Works

AiTM phishing attacks work by inserting an attacker-controlled proxy, often a fake login page, between a victim and a legitimate website. The attacker intercepts the login process through this proxy, effectively hijacking user sessions and secretly capturing sensitive information. 

The attack typically follows these steps:

‍

1. Phishing Email Delivery

• Attackers send a phishing email containing a link to a fake login page.
• The email impersonates a trusted service, such as Microsoft 365 or a corporate portal.

‍

2. Proxy-Based Credential Theft

• The victim clicks the malicious link, which directs them to a fake login page hosted on an attacker-controlled proxy server.
• Behind the scenes, the proxy relays requests between the victim and the legitimate site, making the fake login page appear authentic.

‍

3. Session Hijacking via Token Theft

• Once the victim enters their credentials, the proxy forwards them to the real website, allowing the login to succeed.
• The attacker captures the session cookie, which authenticates the user’s session.

‍

4. Bypassing Multi-Factor Authentication (MFA)

• If MFA is enabled, the attacker waits for the victim to complete the verification process.
• The stolen token is then used to authenticate, allowing the attacker to bypass MFA protections—they may use the same session cookie for persistence.

‍

5. Post-Exploitation

• With the valid session token, attackers use the hijacked account to move laterally, accessing corporate systems, stealing data, conducting financial fraud, or escalating privileges.
• They may maintain persistence by creating new authentication tokens or manipulating security settings, evading further detection.

‍

Why MiTM and AiTM Attacks Are Dangerous

‍

1. Bypass Traditional Security Measures

Many organizations rely on MFA to protect accounts from compromise. However, AiTM phishing defeats MFA by stealing session cookies after authentication, rendering one-time passwords (OTPs), push notifications, and app-based authenticators ineffective.

• 84% of compromised accounts observed by Obsidian Security had MFA enabled.

‍

2. Stealthy and Hard to Detect

Since the victim interacts with the legitimate website through an attacker-controlled proxy, traditional phishing detection methods like email gateways can fail to identify malicious activity. Security logs may show a normal login from a trusted location, hiding the fact that an attacker is intercepting the session. MiTM attacks often use TLS encryption, making network traffic analysis less effective at spotting anomalies.

• 93% of phishing compromises observed by Obsidian bypassed email security.

‍

3. Rapid Account Takeover and Data Theft

Once an attacker gains access to a session, they can:

• Move laterally across cloud applications and internal systems and download sensitive data
• Change account recovery settings, complicating the process for users to regain account control
• Generate new authentication tokens to stealthily create new and maintain persistent access

‍

4. Phishing Kits with AiTM Are Widely Available

Adversary-in-the-middle attack capabilities are no longer limited to advanced cybercriminals. Ready-made phishing kits now integrate AiTM features, making it easier for less sophisticated attackers to execute these campaigns. Some popular AiTM phishing toolkits include Evilginx and Tycoon.

These toolkits allow attackers to automate session hijacking, making large-scale AiTM attacks more feasible.

‍

How to Defend Against AiTM Phishing

To defeat modern man-in-the-middle attacks, security teams must harden their defenses where identity compromise actually occurs: the browser. Obsidian Security offers an in-browser AiTM phishing prevention solution that stops 100% of popular kits like Evilginx and Tycoon.

Integrated in the browser, Obsidian Security deeply inspects web content using advanced visual analysis plus applied threat intelligence to instantly block malicious webpages as soon as they render—even for never-before-seen phishing kits or personal email attacks.

By seeing what the user sees, Obsidian can thwart AiTM evasion techniques that bypass Proofpoint, Abnormal, and other security solutions. Get started for free to begin detecting AiTM phishing threats.

‍

Conclusion

Man-in-the-Middle attacks like AiTM phishing are a major evolution in cyber threats, capable of bypassing traditional MFA and leading to rapid account takeovers. With phishing kits integrating AiTM as a standard feature, organizations must adopt phishing-resistant authentication methods, AI-powered security monitoring, and user training to defend against these sophisticated attacks.

The future of phishing prevention lies in Zero-Trust principles, stronger authentication standards, and real-time behavioral threat detection. As AiTM phishing techniques continue to evolve, organizations must stay proactive in their cybersecurity approach to mitigate these growing risks.