AiTM Phishing and Session Token Theft: How Attackers Bypass MFA and How to Stop Them
Adversary-in-the-middle (AiTM) phishing defeats MFA by never trying to steal your one-time code. Instead, it proxies the real authentication session between the victim and your identity provider in real time, completing MFA legitimately on the victim's behalf and then capturing the authenticated session cookie. The attacker replays that cookie from their own device and lands inside your environment as a fully authenticated user with a valid session.
This is why AiTM has become the dominant account takeover technique in 2026. Legacy push notification MFA, TOTP codes, and SMS OTP are all transparent to the proxy. The attack succeeds even when users follow MFA prompts correctly. Understanding the mechanics is the prerequisite for deploying controls that actually work.
How AiTM Proxy Attacks Work Step by Step
An AiTM phishing attack operates as a man-in-the-middle relay between the victim and the legitimate identity provider. The attacker hosts a reverse proxy server that impersonates the target login page and forwards all traffic to the real IdP.
Step 1: Lure delivery. The victim receives a phishing email containing a link to the attacker's proxy domain (e.g., login.microsoft-sso[.]com). The link is often delivered via a legitimate email service, a compromised account, or an HTML attachment to evade URL reputation filters.
Step 2: Authentication relay. The victim navigates to the proxy, which transparently forwards the login request to the real Microsoft/Google/Okta login page. The proxy captures and relays all traffic bidirectionally. The victim sees a visually identical login page because it IS the real page, proxied.
Step 3: MFA completion. When the identity provider requests MFA, the proxy forwards the challenge to the victim. The victim completes their push notification, TOTP code, or SMS OTP normally. The proxy relays this response to the IdP. MFA succeeds.
Step 4: Session cookie capture. The IdP issues an authenticated session cookie. The proxy intercepts this cookie before forwarding the response to the victim. The victim also gets a session cookie and lands on a benign redirect page (often a fake 'session expired' or decoy document) while the attacker now has a working session cookie.
Step 5: Session replay. The attacker imports the stolen session cookie into their browser using developer tools or automated scripts. They are now authenticated as the victim with a fully valid session, bypassing all MFA controls.
Common AiTM frameworks include Evilginx2, Modlishka, and Muraena. Phishing-as-a-service platforms including Greatness, Tycoon 2FA, and Storm-1167 provide AiTM infrastructure as a subscription. Tycoon 2FA specifically targets Microsoft 365 and Google Workspace and was responsible for over 1,800 domains in active campaigns as of Q1 2026.
Why Most MFA Does Not Stop AiTM
It is important to be precise: AiTM phishing defeats specific MFA types, not MFA as a concept. Understanding which authentication methods are vulnerable and which are not is essential for designing a response.
Vulnerable to AiTM proxy attacks:
- Push notification MFA (Microsoft Authenticator, Duo, Okta Verify)
- TOTP one-time codes (Google Authenticator, any authenticator app code)
- SMS OTP (text message codes)
- Voice call OTP
- Email OTP
All of these are shared secrets or codes that the proxy can relay transparently. The victim provides the correct response; the proxy forwards it. MFA succeeds from the IdP's perspective.
NOT vulnerable to AiTM proxy attacks:
- FIDO2 hardware security keys (YubiKey, Google Titan Key)
- Passkeys (device-bound or synced)
- Certificate-based authentication (CBA) with smart cards or device certificates
- Windows Hello for Business (WHfB) with TPM-bound keys
These methods are resistant because the cryptographic response is bound to the specific origin domain (the URL in the browser). When the victim is on the attacker's proxy domain rather than the legitimate domain, the FIDO2/passkey authenticator refuses to respond because the RP ID does not match. The phishing site gets nothing useful even if the victim physically touches their security key.
This is why CISA, NSA, and NIST all explicitly classify FIDO2/passkeys as 'phishing-resistant MFA' and push notification/TOTP as 'phishing-susceptible.' The distinction is not about the strength of the second factor but about whether the factor is cryptographically bound to the legitimate origin.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Phishing-Resistant MFA: Implementation Options
Deploying phishing-resistant MFA is the structural fix. The three enterprise-viable options each have distinct tradeoffs.
FIDO2 Hardware Security Keys
Physical keys (YubiKey 5 series, Google Titan, Token2) provide the strongest phishing resistance. The credential is hardware-bound and cannot be exported. Best for privileged accounts, executives, and roles with high breach impact. Limitations: cost ($25-60/key), loss/theft risk requiring backup key policies, friction for remote workers. Supported natively by Microsoft Entra ID, Okta, Ping, and Google Workspace.
Passkeys (FIDO2 Platform Authenticators)
Passkeys use device-bound or cloud-synced FIDO2 credentials tied to the device's secure enclave (TPM, Secure Enclave on Apple devices). Device-bound passkeys (Windows Hello for Business, Touch ID, Face ID) are phishing-resistant and require no additional hardware. Synced passkeys (iCloud Keychain, Google Password Manager) provide phishing resistance but replicate across devices, reducing hardware-binding guarantees. Microsoft Entra ID, Okta, and Duo all support passkeys as of 2025-2026.
Certificate-Based Authentication (CBA)
Smart card certificates or device certificates issued by your PKI, bound to Entra ID or on-premises AD. When combined with device compliance policies (Intune MDM enrollment required), CBA provides strong phishing resistance. Appropriate for hybrid environments where passkeys are not yet widely deployed. Requires PKI infrastructure and certificate lifecycle management. Native support in Microsoft Entra ID CBA (GA 2023).
Conditional Access Controls That Reduce AiTM Blast Radius
Even before you fully deploy phishing-resistant MFA, these Conditional Access and session policy controls reduce the impact of a successful AiTM session theft.
Require compliant device (device compliance policy)
Configure Conditional Access to require Intune-compliant or Hybrid Azure AD-joined devices for all application access. If the attacker replays the stolen session cookie from an unmanaged device, the compliance check fails and access is denied. This is the single most effective compensating control for AiTM because attacker infrastructure is never managed or enrolled.
In Microsoft Entra ID:
- Conditional Access policy: Grant access > Require device to be marked as compliant
- Or: Require Hybrid Azure AD joined (for fully on-premises managed devices)
Token Protection (token binding) for sign-in sessions
Microsoft Entra ID Token Protection (preview/GA depending on tenant) cryptographically binds the session token to the specific device it was issued to. A stolen token replayed from a different device fails validation. Enable via Conditional Access: Session > Require token protection for sign-in sessions. Currently supported for Windows desktop apps and some web scenarios.
Continuous Access Evaluation (CAE)
CAE allows the IdP to push real-time revocation signals to resource providers (Exchange, SharePoint, Teams) within seconds rather than waiting for token expiry. When you detect anomalous sign-in behavior (impossible travel, unfamiliar device), revoke the session in Entra ID and CAE propagates the revocation to all connected services in near-real time.
Sign-in frequency and persistent browser session policies
Reduce the useful life of stolen session cookies by setting aggressive sign-in frequency (e.g., 1-hour re-authentication for sensitive apps) and disabling 'Stay signed in' persistent sessions. A stolen 1-hour session token is less valuable than a 90-day persistent session.
Conditional Access Named Locations and IP restrictions
For high-value applications (finance systems, admin portals, code repositories), restrict access to known corporate IP ranges or VPN exit nodes. Attacker infrastructure is rarely within your named location ranges.
Detection: Identifying AiTM Attacks in Your Logs
AiTM attacks leave distinctive signals in identity and network logs. The most reliable indicator is a successful authentication from a device or IP with no prior history immediately followed by lateral movement or email access from a new location.
Microsoft Entra ID / Sentinel detection queries:
Look for impossible travel (authentication from two geographically distant locations within a short time window), which indicates the victim authenticated from one location while the attacker replayed the session from another:
SigninLogs
| where ResultType == 0
| summarize Locations = make_set(Location), IPAddresses = make_set(IPAddress)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Locations) > 1
Look for unfamiliar device sign-ins immediately after MFA success:
SigninLogs
| where AuthenticationRequirement == "multiFactorAuthentication"
| where DeviceDetail.isCompliant == "false"
| where DeviceDetail.isManaged == "false"
| where ResultType == 0
Risky sign-in alerts in Entra ID Identity Protection
Enable all Entra ID Identity Protection risk policies. The 'Unfamiliar sign-in properties' and 'Atypical travel' risk detections are specifically tuned for AiTM-pattern session replays. Set User Risk Policy to require MFA or block for High risk users.
Email inbox rule creation post-authentication
AiTM attacks targeting BEC typically follow session capture with immediate inbox rule creation (forwarding rules, deletion rules) to hide ongoing access. Alert on inbox rule creation within 30 minutes of a new device sign-in:
OfficeActivity
| where Operation == "New-InboxRule"
| join kind=inner (SigninLogs | where isempty(DeviceDetail.deviceId)) on $left.UserId == $right.UserPrincipalName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) < 30
Rollout Strategy: Moving to Phishing-Resistant MFA
Full deployment of phishing-resistant MFA typically takes 3-6 months for a mid-size enterprise. Phase the rollout by risk tier to maximize protection quickly without overwhelming the help desk.
Phase 1: Privileged Accounts (Weeks 1-4)
Global Administrators, Privileged Role Administrators, Security Administrators, and any account with write access to production infrastructure. Issue FIDO2 hardware keys with a backup key policy (two keys per user: one primary, one backup stored securely). No exceptions for this tier. Block legacy auth protocols for all admin accounts immediately.
Phase 2: High-Value Business Roles (Weeks 4-8)
Finance, legal, executive assistants, HR, and any role with access to financial systems or sensitive data. Deploy passkeys via Windows Hello for Business or Microsoft Authenticator passkey on enrolled devices. This group uses compliant managed devices, so device compliance Conditional Access provides the safety net for any stragglers.
Phase 3: All Remaining Users (Weeks 8-16)
Broad organization rollout of passkeys on enrolled devices. Run a phased Conditional Access policy: first in report-only mode to identify users who would be blocked, then enforce. Set up a help desk intake process for users who need exceptions (contractors on unmanaged devices, legacy app users). Legacy auth block policy should follow approximately 2 weeks after passkey rollout.
Block Legacy Authentication Protocols
Disable SMTP AUTH, basic auth for Exchange, and any legacy authentication protocol that bypasses modern MFA entirely. Legacy auth is the back door that makes phishing-resistant MFA rollouts incomplete. In Entra ID: use the 'Block legacy authentication' Conditional Access policy. Monitor the Sign-in Logs for legacy auth attempts before enforcing to avoid breaking email clients.
The bottom line
AiTM phishing bypasses MFA by attacking the session layer, not the authentication factor. Push notifications, TOTP codes, and SMS OTP are transparent to the proxy and will continue to be bypassed. The only authentication methods that resist AiTM structurally are FIDO2 hardware keys, passkeys, and certificate-based auth: all bound to the legitimate origin domain via cryptographic challenge-response. While deploying phishing-resistant MFA organization-wide, require compliant managed devices in Conditional Access as the primary compensating control, since attacker replay infrastructure will never pass device compliance checks. Enable Entra ID Token Protection and Continuous Access Evaluation for near-real-time session revocation. Detection focus: impossible travel within short time windows, new device sign-ins without compliance, and inbox rule creation within 30 minutes of a new device authentication.
Frequently asked questions
What is an AiTM phishing attack and how is it different from regular phishing?
Regular phishing steals usernames and passwords. AiTM (adversary-in-the-middle) phishing uses a reverse proxy server that sits between the victim and the real login page, relaying authentication in real time. This means the victim actually completes MFA successfully: they see a legitimate-looking page, enter their credentials, approve their push notification or TOTP code, and the proxy forwards everything to the real IdP. The attacker captures the session cookie issued after successful authentication, then replays it from their own device. The account is compromised even though the victim did everything right.
Does enabling MFA protect against AiTM attacks?
Not all MFA protects against AiTM. Push notification MFA (Authenticator apps), TOTP codes (6-digit authenticator app codes), and SMS OTP are all bypassed by AiTM proxies because the proxy can relay these one-time values in real time. FIDO2 hardware security keys, passkeys, and certificate-based authentication are resistant to AiTM because they use cryptographic signatures bound to the specific website origin. When the victim is on a phishing proxy domain rather than the legitimate login URL, FIDO2 and passkey authenticators refuse to respond, so the attacker gets nothing useful.
What are the most common AiTM phishing toolkits in use right now?
The most widely used frameworks are Evilginx2 (open source, configurable for any identity provider), Tycoon 2FA (phishing-as-a-service targeting Microsoft 365 and Google Workspace, responsible for 1,800+ phishing domains in Q1 2026), Greatness (targets Microsoft 365 with convincing fake portals), and Storm-1167 (Microsoft-tracked actor using AiTM at scale). These are available as phishing-as-a-service subscriptions, lowering the technical barrier to AiTM attacks significantly.
How does Conditional Access device compliance help against AiTM session theft?
When Conditional Access requires a compliant or Hybrid Azure AD-joined device, the attacker cannot replay the stolen session cookie from their own machine because their device is not enrolled in your MDM (Intune) and will fail the compliance check. The session cookie itself becomes much less valuable. This is currently the most effective compensating control for AiTM while phishing-resistant MFA is being rolled out organization-wide, because attacker infrastructure is never managed or enrolled in corporate MDM.
What is Microsoft Entra ID Token Protection and does it stop AiTM?
Token Protection (formerly token binding) cryptographically binds the sign-in session token to the specific device it was issued to. If an attacker steals the token and replays it from a different device, the cryptographic binding fails and the token is rejected. This directly prevents the final step of an AiTM attack: session replay from attacker infrastructure. Token Protection is available in Microsoft Entra ID and should be enabled via Conditional Access: Session > Require token protection for sign-in sessions. As of 2026, it covers Windows desktop sessions and select web scenarios, with broader platform support being added.
What detection signals indicate an AiTM attack in my environment?
The most reliable AiTM signals are: (1) Impossible travel: successful authentication from two geographically distant locations within a short time window (victim authenticates from their location; attacker replays from theirs). (2) New device or unmanaged device sign-in immediately after MFA success: the session replay occurs from attacker infrastructure with no MDM enrollment. (3) Inbox rule creation (forwarding or deletion rules) within 30 minutes of a new device sign-in, which is characteristic of BEC follow-on activity. Enable all Entra ID Identity Protection risk detections and alert on these patterns in your SIEM.
How do we communicate the shift to phishing-resistant MFA to end users without causing a help desk surge?
The most effective approach is to run Conditional Access in report-only mode for 2-4 weeks before enforcement to identify users who would be blocked and fix their setup proactively. Send targeted communications to affected users before enforcement, not blast emails. Set up a dedicated help desk queue with step-by-step passkey enrollment instructions. For Windows Hello for Business, pre-configure devices via Intune policy so enrollment happens silently at next sign-in. For FIDO2 key deployments, consider in-person setup events for less technical users. The help desk surge peaks in week 1 of enforcement and drops sharply by week 3.
Is passkey syncing (iCloud Keychain, Google Password Manager) as secure as a hardware FIDO2 key?
Synced passkeys provide phishing resistance (they are still bound to the origin domain and resist AiTM proxies) but are weaker than hardware-bound keys in one way: the private key material is replicated across devices via the cloud sync provider. If an attacker compromises your Apple ID or Google account and has a device you logged in from, they may be able to access synced passkeys. For standard enterprise users, synced passkeys are a major improvement over TOTP/push MFA and are appropriate for the broad rollout. For administrators, executives, and privileged roles, use device-bound passkeys (Windows Hello for Business with TPM) or FIDO2 hardware keys with no sync.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.