Professional IT support
Our proactive IT support team relates to the challenges faced by other businesses and offers our own unique approach to help optimise your IT infrastructure and workflows. If you need helpdesk IT support, network management, cloud solutions, cybersecurity expertise, or strategic IT consulting, connect with us.
Learn more ->IT Support
Outsourced IT Support Packages & Pricing Remote IT Support Proactive IT Support Apple IT Support Switching Providers
Fully managed IT services
IT is at the heart of every business. Make sure it’s managed reliably and professionally.
Learn more ->Main Services
Core IT Services Microsoft Solutions Cloud & Hosted Services Unified Communications IT Consultancy Data Connectivity
Cyber Security services
IT is at the heart of every business. Make sure it’s managed reliably and professionally.
Learn more ->Featured Posts
Featured Posts
Frequently Asked Questions
Here you can find a comprehensive collection of helpful answers to the questions we are most frequently asked, designed to provide quick and clear guidance on our services and how we work.
Learn more ->Featured Posts
Our Vision
Our vision is to make the organisations we partner with the very best they can be.
Learn more ->Featured Posts
Request Quote
Adversary-in-the-Middle attacks
Modern phishing technique that steals active login sessions
Imagine clicking a link, logging in, approving your multi-factor authentication (MFA) prompt, and getting on with your day—completely unaware that a criminal has just logged into your account at the exact same moment.
This is Adversary-in-the-Middle (AiTM) phishing. Instead of stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time. While MFA remains a critical first step, AiTM exploits something it was never designed to protect: the trusted session that exists after authentication is complete.
Phishing has moved beyond passwords
Traditional phishing collected credentials. Modern phishing targets the authenticated session itself. Security researchers have documented a significant shift towards token theft, driven by Phishing-as-a-Service (PhaaS) platforms like Evilginx. These toolkits allow low-skilled attackers to deploy sophisticated campaigns against Microsoft 365 and Google Workspace at scale.
How AiTM attacks actually work
The live reverse proxy
An AiTM site is not a static replica of a login page; it is a live reverse proxy sitting between the user and the real service. Every keystroke, redirect, and server response flows through the attacker's system in real time. Because the page mirrors the real service—complete with accurate branding and functional MFA prompts—the only clue is a slightly altered URL, which is easily missed on mobile screens or under time pressure.
Why MFA doesn't stop it
MFA protects the moment of login, not what follows. Once MFA succeeds, the service issues a session cookie. This token signals to the application that the user is verified, meaning no further passwords or MFA challenges are required. AiTM attacks simply wait for this cookie to be issued and steal it. The attacker imports the cookie into their own browser and immediately resumes the session. Microsoft tracked a 146% rise in AiTM attacks over the past year, as cybercriminals increasingly pivot towards accounts already protected by MFA.
What happens after a session is stolen
Because the attacker operates inside a legitimate session, the aftermath is incredibly quiet. There are no failed MFA attempts or unusual login alerts in standard sign-in logs.
Proofpoint research shows that once inside, attackers commonly:
- Create hidden inbox rules to redirect mail.
- Register additional MFA methods to secure persistent access.
- Monitor emails for financial conversations.
- Launch internal phishing campaigns against colleagues or finance teams.
Reducing your exposure
Defending against AiTM requires security controls that extend beyond the login screen:
- Adopt Phishing-Resistant MFA: Methods like FIDO2 hardware keys and passkeys bind authentication to a specific device and the legitimate domain. The Canadian Centre for Cyber Security analysed over 100 AiTM campaigns and found that phishing-resistant MFA consistently blocked session theft where standard push notifications and one-time passcodes failed.
- Tighten Conditional Access & Monitoring: Detecting a breach means watching for post-login activity, such as new MFA registrations, inbox rules created out of hours, or access from unfamiliar locations.
- Train Users on URL Awareness: Ensure employees understand that a working MFA prompt on an unfamiliar domain is a major risk. A brief walkthrough of Microsoft 365 context lures can significantly reduce exposure.
Stop protecting just the login screen
MFA is a baseline, not a finish line. The businesses that successfully mitigate AiTM risk are those that protect the session and identity layers, not just the login prompt. Want to review your identity security controls? Contact us today to schedule a consultation and identify your critical gaps.
Let's work together
01225 701650Strattons House, Melksham, Wiltshire, SN12 6JL
networks@soundnetworks.net08:30 AM - 17:00 PM
Get support tailored to your company's specific requirements!
Our mission is to provide technology guidance, expertise and support to enable our customers to grow their business.
Start Here
Sign up to receive useful information regarding your IT without the fluff
By Subscribing you are agreeing to receive our IT updates newsletter released each Month. You will not receive anything else.
