Phishy in the Middle: How A Trending Phishing Tactic Is Designed To Beat MFA 

What is an Adversary-in-the-Middle (AiTM) Phishing  Attack 

An adversary-in-the-middle (AiTM) phishing attack is a type of cyberattack in which an attacker intercepts communications between two parties to steal sensitive information, log in credentials, or money. In this type of attack, the attacker sits between the victim and the legitimate website or service they are trying to access, thereby intercepting and manipulating the data being sent between them. 

The attacker might do this by either creating a fake website that looks like the legitimate one, or by compromising a legitimate website and inserting malicious code that captures the victim’s information. The victim is then fooled into entering their sensitive information, such as login credentials, credit card details, or personal information, into the fake website or providing it to the attacker. 

The aim of an AiTM phishing attack is to steal valuable information or money from the victim, which can then be used for various fraudulent purposes such as identity theft, financial fraud, or extortion. These attacks are particularly dangerous because the victim often has no way of knowing that they are being targeted, and the attacker can remain undetected for long periods of time. 

How does an adversary-in-the-middle phishing attack evade MFA? 

An adversary-in-the-middle (AiTM) phishing attack can be designed to evade multi-factor authentication (MFA) by using various tactics to steal the victim’s MFA code or bypass the MFA altogether. 

One common tactic is to prompt the victim to enter their MFA code into a fake website that the attacker has set up to mimic the legitimate one. The attacker can then use the stolen MFA code to access the victim’s account. This can be done by immediately using the code before it expires or by replaying the code later when the victim is no longer monitoring their account. 

Another tactic used in AiTM phishing attacks is to hijack the victim’s session after they have successfully logged in with their MFA. The attacker can use session hijacking techniques to take over the victim’s session, effectively bypassing the MFA and gaining access to the victim’s account. 

Additionally, AiTM phishing attacks can also be designed to target vulnerabilities in the MFA process itself, such as exploiting weaknesses in the MFA software or tricking the victim into using a compromised MFA device. 

Overall, MFA can provide an additional layer of security to protect against AiTM phishing attacks, but it is not foolproof.  

A real-world example 

Microsoft has recently called attention to a particular threat actor group, known as Storm-1101I, that has been making a ‘phishing kit’ available, online, that helps cyber criminals easily set up this kind of AiTM attack. They explain: 

“The threat actor group began offering their AiTM phishing kit in 2022, and since then has made several enhancements to their kit, such as the capability to manage campaigns from mobile devices, as well as evasion features like CAPTCHA pages. These attributes make the kit attractive to many different actors who have continually put it to use since it became available in May 2022. Actors using this kit have varying motivations and targeting and might target any industry or sector.” 

Steps to protect your organization 

It is important for users to remain vigilant and use additional security measures, such as monitoring their accounts for suspicious activity, to protect themselves against these types of attacks

Here are some controls that Altourage recommends (and implements for its Cybersecurity clients) in order to better protect your organization from this kind of AiTM phishing attack: 

-Enable ‘Conditional Access Polices’ that force users to have a compliant device prior to getting access to their resources

-Implement ‘Continuous Access Evaluation’ 

-Invest in an advanced anti-phishing solution  

-Continuously monitor suspicious or anomalous activities (SIEM, XDR, MDR)


Altourage is a client-obsessed managed service provider, offering IT and Cybersecurity services to clients in ‘high-trust’ sectors, including Financial Services, Professional Services and Nonprofit Organizations.  

We offer both fully managed and co-managed services – customizing our services or integrating with our clients’ existing teams to build successful long-term partnerships.