Adversary-in-the-Middle (AiTM)

An adversary-in-the-middle (AiTM) attack is an evolved form of the classic man-in-the-middle attack, specifically engineered to defeat multi-factor authentication. The attacker operates a reverse proxy server that relays all traffic between the victim and the legitimate service. When the victim visits a phishing link, they interact with what appears to be the real site — because the proxy transparently forwards requests to and responses from it — while the attacker intercepts the victim's credentials and, critically, the session cookie or token issued after MFA is completed.

Because the token is captured post-authentication, the MFA step provides no protection: the victim authenticated legitimately, and the attacker simply reuses the resulting token. AiTM infrastructure is available as a service through criminal phishing toolkits (such as Evilginx), lowering the technical barrier significantly.

AiTM attacks are most effective against organisations using cloud email platforms. Mitigations include phishing-resistant MFA (FIDO2/passkeys), conditional access policies that enforce device compliance checks, and continuous access evaluation that revokes tokens when anomalies are detected.