Adversary-in-the-middle (AitM) phishing attacks explained

What is an adversary-in-the-middle (AitM) phishing attack?

An adversary-in-the-middle (AitM) phishing attack is a sophisticated cyberattack where cybercriminals position themselves between the user and the website the user wants to visit to intercept sensitive data in real time.

Unlike traditional phishing, which sometimes uses completely fake websites, AitM attacks create sophisticated proxy websites that relay traffic to and from legitimate sites in real time. This way, the attacker intercepts not just login information but also session cookies and authentication tokens.

Session cookies and authentication tokens act like digital keys that prove to websites that a user is already logged in. When criminals steal these tokens, they can import them into their own browser and immediately access the victim’s account without needing to enter a password or complete multi-factor authentication (MFA). This is called session hijacking.

In AitM attacks, cybercriminals don’t just passively eavesdrop on communications but actively manipulate the authentication process. This method allows them to gain access to user accounts even when MFA is enabled, making AitM attacks even more dangerous than traditional man-in-the-middle (MitM) attacks.

AitM vs. MitM attacks: What’s the difference?

While both types of attack intercept communication, they operate at different levels. Traditional man-in-the-middle attacks position attackers on the network path through methods like ARP tampering, DNS manipulation, rogue Wi-Fi hotspots, or malicious gateways to observe or alter network traffic. To defeat HTTPS connections, these attacks typically require certificate manipulation or protocol downgrades. In contrast, adversary-in-the-middle attacks manipulate the authentication process using proxy technology at the application level.

How does an AitM attack work?

AitM attacks operate by placing a malicious proxy server between users and the legitimate websites the users want to access. This setup allows cybercriminals to capture login credentials in real time and steal session cookies that prove the user is authenticated. The proxy acts as a hidden intermediary, relaying information back and forth while secretly copying everything that passes through.

Websites use session cookies after users log in to them successfully so people don’t have to enter their password on every new page they visit. These session cookies act as digital proof that the user has already been authenticated and has an active session with the website. This is exactly what AitM attackers target — they want to steal these session cookies so they can skip the entire authentication process and act on the victim’s behalf.

The key to a successful AitM attack lies in TLS sessions. A TLS (Transport Layer Security) session is an encrypted communication channel between your device and a website that protects your data from eavesdropping. When you visit a website, your browser normally creates one encrypted TLS connection directly to that site. But in an AitM attack, the malicious proxy creates two separate TLS sessions — one between you and the proxy, and another between the proxy and the legitimate website. This allows the attacker to access your data at their proxy server (because you're communicating with them, not the real website), copy it, then forward it through a separate secure connection to the legitimate website.

Every piece of information is directly relayed from the original site, creating a proxied view of the real website. The only visible difference between the fake site and the real one is the URL. Once attackers obtain your session cookies from this process, they can inject them into their own browser and immediately access your account without needing passwords or completing MFA.

The AitM attack chain: A step-by-step process

Step 1: Setup

Attackers deploy a malicious proxy server that acts as an intermediary between victims and legitimate websites. This proxy server creates a malicious website that mirrors the appearance and functionality of trusted sites like banks or email services. The attacker registers domains that closely resemble those legitimate websites and configures reverse proxy technology to relay traffic in real time.

Step 2: Victim luring and redirection

Cybercriminals use various social engineering tactics to lure victims to the malicious website. They typically send deceptive emails or text messages or use compromised websites with trusted cloud URLs to redirect users. To avoid being caught by security systems, attackers often use multiple website redirections and abuse ad platforms through malvertising and SEO positioning.

Step 3: Application-layer proxy positioning

Once victims access the malicious proxy site, the attacker establishes application-layer positioning using reverse proxy technology between the user and the legitimate web application. Unlike network-level MitM attacks, this positioning occurs at the application layer where the reverse proxy acts as an intermediary web service that users interact with directly. The malicious proxy maintains active application sessions with both the victim and the legitimate website, relaying authentication requests and responses in real time through the attacker’s infrastructure.

Step 4: Real-time credential and token capture

When victims enter their login credentials, the proxy captures this information in real time and simultaneously forwards it to the legitimate website. The system intercepts not just usernames and passwords, but also session cookies, authentication tokens, and traditional multi-factor authentication codes like SMS or push notifications.

Step 5: Traditional MFA bypass and session establishment

As users complete traditional multi-factor authentication (SMS, voice, OTP, or push notifications) on the legitimate site, the proxy captures the resulting session cookies and tokens. This allows attackers to bypass these traditional MFA methods entirely by stealing the post-login session data. However, this technique cannot bypass phishing-resistant MFA methods like WebAuthn and passkeys that bind to the site origin and device.

Step 6: Session hijacking and account access

After stealing authentication information, attackers perform session hijacking by importing the captured session cookies or tokens into their own browser to replay the authenticated session. This session hijacking technique allows them to skip the entire authentication process and access the victim's account with full user privileges. The hijacked session remains active until it expires naturally or gets revoked by the legitimate service. However, security measures like device binding, IP address restrictions, and conditional access policies can reduce the effectiveness of session hijacking attacks by detecting unusual login patterns or blocking access from unrecognized devices.

Step 7: Post-exploitation activities

Once inside the compromised accounts, attackers can access sensitive data, modify account settings, perform unauthorized transactions, or commit further attacks. They may also use the compromised access as a gateway for additional malicious activities, including business email compromise (BEC) campaigns and financial fraud.

Technical components and tools

Cybercriminals use ready-made technical tools that reduce the technical knowledge required for these attacks, though they still need basic understanding of DNS, hosting, TLS certificates, and infrastructure setup.

• Phishing-as-a-service (PhaaS) platforms. These services sell ready-made phishing tools and infrastructure, such as phishing kits, fake websites, email templates, and campaign automation tools. On PhaaS platforms, cybercriminals can get everything they need to run their phishing campaigns.
• Proxy infrastructure. Ready-made reverse proxy tools forward traffic between users and legitimate sites while keeping up the appearance that nothing suspicious is happening. The PhaaS platforms often bundle in proxy solutions with other tools.
• Evasion techniques. Perpetrators of AitM attacks use several built-in methods to avoid detection by security systems. They hide their activities by routing victims through multiple websites before taking them to the final fake login page. Cybercriminals also disguise their malicious infrastructure behind trusted platforms like cloud services or popular website builders because security systems are less likely to flag these sources as suspicious.
• Target reconnaissance tools. Attackers research potential victims through open source intelligence (OSINT) gathering to identify high-value targets and their technology preferences. This reconnaissance helps cybercriminals select appropriate phishing themes, register convincing domain names, and craft social engineering lures that increase the likelihood of victims visiting their malicious proxy sites.

These complex attacks are especially dangerous because they can bypass standard security protections and still look like a normal login process.

Common AitM phishing attack targets

AitM phishing campaigns predominantly target Microsoft 365 accounts because so many businesses rely on it for communications and storing sensitive corporate data that cybercriminals can monetize if they get their hands on it.

Financial institutions and banking services represent another major target category for AitM attacks. Using stolen session cookies, attackers bypass many MFA types by reusing the issued session cookie/token and gain direct access to financial accounts and transactions.

Government agencies and critical infrastructure organizations also face significant AitM phishing threats. The high-value data and systems these entities manage make them priority targets for both cybercriminal groups and nation-state actors.

E-commerce platforms round out the list of prime targets because they often store sensitive payment information and personal user data.

These attacks frequently serve as the initial entry point for larger criminal campaigns, where attackers pivot from the first compromised account to partners, customers, and internal systems using existing trust relationships and SSO (single sign-on) links.

Why is AitM a growing concern in cybersecurity?

In the last couple of years, AitM attacks have become one of the most alarming threats in cybersecurity. For example, security experts have documented an unsettling 146% rise in AiTM phishing attacks throughout 2024 with no signs of this tendency going down. This sharp increase shows how cybercriminals are adapting their tactics as companies strengthen their defenses.

Many organizations rely on MFA to protect their systems, believing it will keep them safe from most attacks. However, AitM attacks can get around MFA completely, rendering one of the most trusted security tools ineffective.

These attacks particularly target Microsoft 365 accounts because many companies use them for email, file storage, and daily operations. The combination of AI tools and ready-made phishing kits has made these attacks easier to execute. Even cybercriminals with basic technical skills can now launch sophisticated attacks.

Phishing statistics only highlights why security experts are so concerned about AitM attacks. They represent a type of threat that can bypass the defenses companies depend on most.

Main signs of AitM phishing

AitM phishing attacks are much harder to spot than traditional phishing because they display the real legitimate website by proxying it live through reverse proxy servers.

Key warning signs to watch for

The most reliable way to detect AitM attacks is to focus on specific technical indicators that reveal you're not where you think you are:

• Real content, wrong origin. The page displays genuine content served through an attacker’s domain where the layout and functionality match perfectly, but the URL and certificate subject do not.
• Wrong domain/URL and SSL certificate. Check the domain for subtle misspellings or extra characters, and watch for missing or invalid SSL certificates (the digital certificate that verifies a website’s authenticity, represented by a padlock icon in your browser).
• Saved passwords and passkeys won’t auto-fill. Password managers and passkeys are designed to only work on domains where they were originally saved. When you visit an attacker's domain, your saved credentials typically won’t auto-fill because the domain doesn't match where you originally saved them.
• MFA feels “off.” Pay attention to unexpected or repeated authentication prompts, different MFA types than usual, or authentication requests when you weren’t trying to log in — these can indicate a proxied authentication flow.
• Redirects end somewhere unfamiliar. While SSO redirects are normal, the final landing domain must still be your exact identity provider or application domain, for example “login.microsoftonline.com” or “accounts.google.com”.
• Suspicious phishing emails. AitM attacks often start with emails using urgent language and demanding immediate action. Watch for slight variations in sender domains, like “microsft” instead of “microsoft,” and unexpected requests for login credentials.

How AitM signs differ from traditional phishing signs

Traditional phishing attacks have evolved significantly and can now appear quite polished and professional, which makes it harder to distinguish them from legitimate communication. AitM attacks present an entirely different challenge because they display the legitimate website by proxying it live through reverse proxy servers, rather than creating copies.

While traditional phishing relies on convincing users with fake pages, AitM attacks actually communicate with real websites in the background. This means the login forms work exactly like they should, making the deception much more convincing.

Spotting AitM attacks requires shifting focus from how the page looks to where you are — specifically the domain and origin. For a list of AitM signs, refer to the section above (Key warning signs to watch out for).

How to protect against adversary-in-the-middle phishing attacks

Since many common MFA methods can be intercepted or bypassed by AitM attacks (including SMS codes, voice calls, TOTP authenticator apps, and push notifications), organizations and individuals need stronger defenses, including phishing detection solutions and phishing-resistant MFA methods (WebAuthn, passkeys, FIDO2), that address the specific ways these attacks work.

• Switch to phishing-resistant MFA security keys, passkeys, or FIDO2 security keys that use cryptographic verification instead of codes that criminals can intercept.
• Train employees to recognize AitM tactics, including checking URLs carefully, spotting phishing emails, and reporting unusual authentication requests.
• Use real-time threat detection that can identify unusual login patterns and suspicious authentication attempts as they happen.
• Apply conditional access policies that evaluate login requests based on location, device, and behavior patterns to block suspicious access attempts.
• Monitor active sessions for signs of unauthorized access like logins from unusual locations or multiple simultaneous sessions.
• Implement strong email filtering to block phishing emails before they reach employees, because many AitM attacks start with malicious messages.
• Use a reliable anti-phishing solution like NordVPN’s Threat Protection Pro™. This tool blocks access to known malicious websites before you can visit them. It uses AI and threat databases to identify and block phishing links. However, since AitM attacks often use newly registered domains that may not appear in threat databases immediately, no single tool provides complete protection against these sophisticated attacks.

Traditional security measures simply don’t measure up — the most effective defense combines multiple strategies to create layers of security that make AitM attacks much harder to execute successfully.