Adversary-In-The-Middle (AiTM) phishing attack is a type of cyberattack that involves stealing session cookies to bypass authentication layers and access sensitive data or accounts. Session cookies are small pieces of data that websites use to track your online activity and verify your identity during a web session. AiTM phishing attacks can even circumvent security measures like Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA), which require an additional verification step from another device or account.
Introduction to Adversary-In-The-Middle (AiTM) Phishing Attacks
Phishing is one of the most common and effective methods of cybercrime. It involves sending fraudulent emails or messages that impersonate legitimate entities or individuals and tricking the recipients into clicking on malicious links, opening malicious attachments, or providing personal or financial information.
Phishing attacks are now incredibly common. This method of cybercrime can be very effective in data theft and doesn’t require a huge amount of work at a base level. But phishing also comes in many forms, one of which being Adversary-in-the-Middle attacks. Learn more about the different types of phishing attacks and how to prevent them here.
However, phishing also comes in many forms and variations, and cybercriminals are constantly finding new ways to evade detection and bypass security defenses. One of these variations is the Adversary-in-the-Middle (AiTM) phishing attack, which has been a pressing issue for Microsoft 365 users and other online services.
In this article, we will explain how AiTM phishing attacks work, what are the risks and consequences of falling victim to them, and how you can protect yourself and your organization from them.
Boost Your Digital Defense With the Rublon Newsletter
Receive the latest updates and professional advice directly in your inbox. Become part of our community by clicking the button below and equip yourself with the knowledge to safeguard your digital presence.
How AiTM Phishing Attacks Work
Here’s how an AiTM phishing attack works.
Initiation of the Attack: The Phishing Email
An AiTM phishing attack typically starts with a cybercriminal sending a phishing email to a target user, pretending to be from a trusted source, such as Microsoft, Google, or PayPal. The email may contain a link to a fake login page that mimics the appearance of the legitimate website or service that the user wishes to access.
Setting the Trap: The Role of the Proxy Server
The cybercriminal also sets up a proxy server between the user and the website or service that they want to impersonate. A proxy server is a computer that acts as an intermediary between two parties, forwarding requests and responses between them. In this case, the proxy server allows the cybercriminal to intercept and modify the communication between the user and the website or service.
The Deceptive Redirect: Fake Login Page Encounter
When the user clicks on the link in the phishing email, they are redirected to the fake login page hosted by the proxy server. The user may not notice any difference in the URL or the design of the page and may enter their login credentials as usual. However, as soon as they do so, the proxy server captures their username and password and sends them to the cybercriminal.
Data Interception: Capturing Credentials and Session Cookies
The proxy server also forwards the user’s login request to the legitimate website or service and receives a session cookie in return. A session cookie is a type of cookie that stores information about the user’s current web session, such as their identity, preferences, and browsing history. Session cookies are usually deleted when the user closes their browser or logs out of their account.
The Illusion of Security: Session Cookie Manipulation
The proxy server then sends the session cookie back to the user’s browser, making it appear as if they have successfully logged in to their account. However, at the same time, the proxy server also sends a copy of the session cookie to the cybercriminal.
Final Breach: Exploiting the Stolen Session Cookie
The cybercriminal can then use the stolen session cookie to access the user’s account without needing their username or password. This way, they can bypass any authentication layers that may be in place, such as MFA or 2FA. The cybercriminal can then perform malicious actions on behalf of the user, such as stealing data, sending spam emails, conducting business email compromise (BEC) scams, or transferring funds.

Risks and Consequences of AiTM Phishing Attacks
AiTM phishing attacks pose serious risks and consequences for both individuals and organizations. Some of them are:
- Data breach: The cybercriminal can access any data stored in the user’s account, such as personal information, contacts, documents, photos, videos, etc. They can also access any other accounts or services that are linked to the user’s account, such as social media platforms, cloud storage providers, online banking services, etc. The cybercriminal can then use this data for identity theft, fraud, blackmailing, extortion, or selling it on the dark web.
- Financial loss: The cybercriminal can use the user’s account to make unauthorized transactions or transfers using their credit card details or bank account information. They can also use the user’s account to conduct Business Email Compromise (BEC) scams, which involve impersonating the user or their contacts and requesting money transfers or payments from other parties. According to the FBI, BEC scams caused losses of over $2 billion in 2021.
- Reputation damage: The cybercriminal can use the user’s account to send spam emails, malicious links, or malware to their contacts, colleagues, clients, or partners. They can also use the user’s account to post inappropriate or offensive content on their social media profiles or online forums. This can damage the user’s reputation and credibility, and cause distrust and dissatisfaction among their network.
- Legal liability: The cybercriminal can use the user’s account to perform illegal or unethical activities, such as hacking, cyberespionage, cyberterrorism, or cyberwarfare. This can expose the user to legal liability and prosecution, as well as sanctions and penalties from regulatory authorities or governments.
How to Protect Yourself from AiTM Phishing Attacks
The best way to protect yourself from AiTM phishing attacks is to prevent them from happening in the first place. Here are some tips and best practices that you can follow:
Be vigilant and cautious
Always check the sender’s email address, the URL of the link, and the design and content of the login page before entering your credentials. Look for any signs of phishing, such as spelling errors, grammatical mistakes, mismatched domains, or suspicious requests. If you are not sure about the legitimacy of an email or a link, do not click on it or open it. Instead, contact the sender directly using a different channel or method to verify their identity and intention.
Use strong and unique passwords
Use a different password for each of your online accounts or services. Make sure your passwords are long, complex, and random, and include a combination of letters, numbers, symbols, and cases. Avoid using common or predictable passwords, such as your name, date of birth, pet’s name, etc. You can also use a password manager to generate and store your passwords securely.
Enable MFA or 2FA
Although AiTM phishing attacks can bypass some forms of MFA or 2FA, they are still effective security measures that can prevent most phishing attacks. MFA or 2FA requires you to provide an additional verification factor besides your password when logging in to your account, such as a code sent to your phone or email, a biometric scan, or a physical token. This way, even if your password is stolen, the cybercriminal cannot access your account without the second factor.
Use conditional access policies
Conditional access policies are rules that evaluate sign-in requests based on various identity-driven signals, such as user or group membership, IP location information, device status, etc. For example, you can set up a conditional access policy that only allows sign-in requests from trusted devices or locations. This way, even if your session cookie is stolen, the cybercriminal cannot access your account from an untrusted device or location.
Update your software and systems
Make sure you keep your software and systems updated with the latest security patches and updates. This can help you fix any vulnerabilities or bugs that may be exploited by cybercriminals to launch AiTM phishing attacks or other types of cyberattacks.
Start Your Free Rublon MFA Trial Today
Secure your digital resources with a Free Trial of Rublon’s Multi-Factor Authentication (MFA) solution. Experience the ease and robust protection of our MFA system. Don’t wait for a security breach—take action now. Click the button below to begin your journey to a safer online experience.
Summing Up Adversary-In-The-Middle (AiTM) Phishing Attack
AiTM phishing attacks are a sophisticated and dangerous type of phishing attack that can steal your session cookies and bypass your authentication layers. They can cause serious harm to your data, finances, reputation, and legal status.
To protect yourself from AiTM phishing attacks, you need to be vigilant and cautious when dealing with emails or links that ask for your login credentials. You also need to use strong and unique passwords, enable MFA or 2FA, use conditional access policies, and update your software and systems regularly.
By following these tips and best practices, you can reduce the risk of falling victim to AiTM phishing attacks and enhance your online security and privacy. However, you should also be aware that cybercriminals are constantly evolving their techniques and tools, and leveraging AI and PaaS offerings to create more targeted and convincing phishing campaigns. Therefore, you should always stay vigilant and cautious when dealing with emails or links that ask for your login credentials or personal information.