Adversary-in-the-middle phishing: the MFA-bypass that conventional MFA cannot stop

Adversary-in-the-middle (AitM) phishing inverts the traditional credential-harvest model. Instead of capturing the victim's username and password on a static fake page and replaying them later, the attacker hosts a live reverse-proxy server that sits between the victim and the real authentication endpoint. The victim visits the lure URL, enters credentials, completes the MFA challenge, and sees the real service load successfully because the attacker's proxy is forwarding every byte in real time to and from the actual destination. From the victim's perspective the login succeeds normally. From the attacker's perspective, the proxy has captured the session cookie that the real service issued on successful authentication.

The captured session cookie is the prize. The attacker can import it into a clean browser, paste it into a session storage, and immediately have authenticated access to the real service as the victim, without needing to re-authenticate. Most session cookies for major SaaS platforms have lifetimes measured in hours to weeks, giving the attacker a sustained window of authenticated access. The session cookie is independent of the victim's MFA token because the MFA challenge has already been completed; the cookie represents post-MFA authenticated state.[Microsoft Threat Intelligence AitM blog 2022-2024 + Mandiant M-Trends 2025]

The central counter-intuitive point about AitM is that turning on MFA does not stop it. TOTP codes from Google Authenticator, SMS codes from carrier delivery, push notifications from Duo or Microsoft Authenticator (even with number-matching), and authenticator-app pseudo-OTPs all flow through the attacker's reverse proxy. The victim enters the code, the proxy forwards it to the real endpoint, the real endpoint validates the code and issues the session cookie, the proxy captures the cookie. The MFA challenge is satisfied because it was completed by a real victim in real time; the proxy is just a transparent forwarder of the legitimate flow.

The only MFA type that breaks AitM is phishing-resistant MFA based on FIDO2 / WebAuthn standards. FIDO2 works by cryptographically binding the authentication response to the origin URL that the browser is currently displaying. When the victim is on the attacker's lure domain, the FIDO2 authenticator sees the lure domain in the request and produces a signature scoped to the lure domain. The attacker's proxy cannot forward this signature to the real service because the real service expects a signature scoped to its own domain. The attacker can present the victim with a working-looking login flow but cannot extract a credential that works against the real destination.

The implication for defender architecture is uncomfortable: the broad MFA deployment that organisations completed through 2018-2022 does not, by itself, defend against the dominant phishing attack pattern of 2024-2026. The remediation requires an additional layer (FIDO2) on top of the existing MFA layer, with separate enrolment, separate user training, and separate device-management. Many enterprises are partway through this transition; many have not started.[FIDO Alliance technical specs + CISA Phishing-Resistant MFA guidance 2023]

Evilginx is the open-source reverse-proxy phishing framework that did the most to commoditise AitM. Originally released as a red-team and security-research tool, Evilginx provides pre-built phishlets (phishing-flow templates) for Microsoft 365, Google Workspace, Okta, and many other common authentication targets. An operator with modest technical skill can deploy a working AitM phishing page for a major SaaS target in under an hour using the maintained Evilginx phishlet library.

Above Evilginx sit several phishing-as-a-service operators offering AitM kits on subscription pricing models. Pricing surveyed across the underground market for 2024-2025 runs $250 to $1,500 per month depending on the target catalogue, the level of operator support, and the obfuscation features included. The premium tiers include features like rotating-domain registration, automated DGA-based lure-link generation, anti-bot screening on the lure page, and integration with credential-monetisation pipelines. The economics of running a small AitM operation are favourable to attackers at these subscription prices because a single successful enterprise compromise yields losses materially above the annual subscription cost.

The Microsoft Threat Intelligence team has tracked multiple distinct AitM clusters through 2023-2024, including the Storm-1167 and Caffeine clusters, with attribution to a mix of financially-motivated criminal groups and some state-actor activity. The defender expectation is that the AitM attack class will remain the dominant phishing pattern through at least 2027 because the attacker-side toolchain is mature, the defender-side response (FIDO2 deployment) is slow, and the economics work for the attacker.[Microsoft Storm-1167 and Caffeine cluster reporting 2023-2024 + Mandiant M-Trends 2025]

The mailbox-takeover line dominates because AitM against a Microsoft 365 or Google Workspace target yields a usable email session, which is the highest-value access type for attacker pivots. The downstream BEC cost is partially captured here and partially appears in the BEC event totals; allocation between the two depends on incident-accounting choices.[IBM 2025 + Mandiant M-Trends 2025 AitM cohort]

Two AitM patterns dominate the 2024-2026 enterprise loss picture. The first is AitM against Microsoft 365 directly. The lure points at a credible-looking Microsoft 365 login URL, the victim enters credentials and completes their normal MFA, the attacker captures the session cookie, the attacker is inside the victim's mailbox within seconds. From the mailbox the attacker typically pivots to BEC (see /by-attack/bec), to OneDrive data exfil, or to teams/channels content that yields M&A or competitive-intelligence value. Microsoft 365 mailbox-takeover is now the dominant initial-pivot path for AitM-rooted BEC events in the IC3 docket.

The second is AitM against the identity provider itself (Okta, Microsoft Entra, Google Workspace SSO). The pattern is similar but the attacker prize is broader: the session cookie for the identity provider unlocks SSO across every downstream SaaS that uses the IdP for authentication. A single successful Okta-AitM compromise can yield session access to a hundred or more downstream SaaS applications without further authentication. The Cloudflare 2022 AitM attempt, while ultimately unsuccessful (FIDO2 saved the company), illustrates the IdP-AitM pattern and its potential blast radius. Cloudflare disclosed the incident publicly and the post-mortem is widely cited as one of the canonical FIDO2 success stories.[Microsoft Threat Intelligence + Cloudflare August 2022 incident report]

• All phishing attack vectors
• BEC cost (AitM pivot destination)
• Spear phishing cost
• MFA fatigue cost
• Callback phishing cost
• Abnormal Security cost (AitM-lure detection)
• Proofpoint TAP cost
• Phishing cost for enterprise
• zerotrustcost.com (FIDO2 in ZT architecture)
• databreachcost.com