Multi-Factor Authentication (MFA) is often seen as the ultimate defence against cybercriminals. But what if that defence can be breached? AiTM (Adversary-in-the-Middle) phishing is an advanced technique that allows hackers to steal not only your password, but also your MFA code, giving them direct access to your accounts.
Unlike traditional phishing, where only login details are stolen, AiTM phishing acts as an “intermediary” that takes over your entire session. This means that even if you use strong passwords and MFA, your security is not guaranteed.
But how exactly does AiTM phishing work? Why is it so dangerous? And above all: how can you protect yourself against it? In this article, we take a closer look at how AiTM phishing works and share practical tips to strengthen your digital security.
What is AiTM Phishing?
AiTM phishing is a clever form of phishing in which hackers literally place themselves between you and the website you are logging into. They do this by means of a malicious proxy server that acts as an “intermediary” between you and the real website. This enables them not only to steal your login details, but also to take over your MFA codes and active sessions.
How does it work?
- Receiving a phishing link: You will receive an email with a link to a fake login page.
- Man-in-the-middle attack – The fake page forwards all entered data to the real website, including your MFA code.
- Session hijacking – The hacker intercepts the session cookie, allowing them to continue accessing your account without further authentication.
The big danger? Because the real website is used in this process, you often don't notice that your data has already been stolen!
Why is AiTM Phishing so dangerous?
- MFA-bypass: AiTM phishing can bypass MFA, rendering the extra layer of security you have set up ineffective.
- Invisible attack: Because the real website is used and sessions are taken over, you often do not notice the attack.
- Suitable for large-scale attacks: Hackers can use automated tools to attack multiple accounts simultaneously.
Large companies and cloud-based services such as Microsoft 365 and Google Workspace are often targets, as a single successful attack can give hackers access to entire corporate networks.
How can you protect yourself?
Fortunately, there are ways to protect yourself against AiTM phishing:
- Utilise FIDO2-based MFA: Hardware security keys such as YubiKey provide an additional layer of protection that cannot be intercepted by AiTM attacks.
- Please carefully check URLs and emails: Never click on links in suspicious emails and always check the domain name of the login page.
- Implement Conditional Access and AI-driven threat detection: Modern security systems can detect and block suspicious logins.
- Utilise session token binding – Link session tokens to specific devices so that they are not transferable.
- Awareness and training – Educate yourself and your employees on how AiTM phishing works and how to recognise suspicious signs.
AiTM phishing shows that even MFA is not infallible. Cybercriminals are finding increasingly clever ways to circumvent security measures. It is crucial to be aware of these advanced techniques and to implement additional security measures.
Want to improve your digital security? Contact us and find out how we can help protect your organisation against cyber threats. Ready for a secure future? Contact us today!
Get in touch
