A New Cyber-Attack is Gaining Ground
What a difference a year makes. Just last year, we were urging clients to set up multifactor authentication (MFA) to protect cloud and remote access accounts. Now, a new, highly sophisticated cyber threat, the Adversary-in-the-Middle (AiTM) attack, is successfully bypassing even MFA, catching many organizations off guard. Here’s how to protect against these escalating attacks and secure your accounts and resources.
Why AiTM is Different—and Dangerous
AiTM attacks use phishing emails to lure users into clicking seemingly legitimate links, like those “from Microsoft” asking to verify credentials. By imitating familiar interfaces, attackers can capture login details and MFA session tokens in a single strike. Once they have that token, they gain extended access to email, Teams, and cloud data for up to 90 days—without requiring the user to log in again. Even low-skill bad actors can now use these attacks, thanks to “Phishing-as-a-Service” and easily accessible attack kits.
-
Phishing email bait: A user clicks a seemingly innocuous link, like one from “Microsoft” to confirm their account.
-
Fake login site: The link directs the user to a convincing replica login page that captures credentials while forwarding the credentials to the real Microsoft login.
-
MFA token hijacking: The user completes MFA, thinking they are secure. However, both the credentials and session token have been stolen, allowing unrestricted access.
In short, the rapid evolution of these attacks highlights the ongoing need for vigilance, continual cybersecurity education, and policy updates. As AiTM and similar threats evolve, sticking to basics and using the right tools remain powerful first steps in maintaining a secure environment.
This article was created in collaboration with Josh Zimmerman.