Adversary-in-the-Middle Session Theft Scams via Email
How phishing emails direct victims to attacker-controlled proxy sites that capture live authentication sessions and bypass multi-factor authentication in real time.
Part of: Adversary-in-the-Middle Session Theft Scams
Last reviewed: 8 June 2026
Adversary-in-the-middle (AiTM) phishing represents a significant evolution beyond traditional credential phishing. Rather than simply capturing a username and password, AiTM attacks use an attacker-controlled reverse proxy to relay authentication in real time between the victim and the legitimate service. This captures not just the credentials but the authenticated session cookie — which is valid even after multi-factor authentication is completed.
This means that even users with MFA enabled can have their accounts compromised through AiTM phishing. The attacker uses the captured session cookie to access the account directly, without needing the victim's password or MFA code after the initial theft.
How this scam works on email
A phishing email arrives with a link to what appears to be a legitimate login page — a Microsoft 365, Google, or banking portal. The URL may contain the brand name in a subdomain or use convincing typosquatting. The page works exactly like the real login, because it is a real-time proxy of it. The victim enters their credentials and completes MFA. They are redirected to the genuine service and see no problem.
Behind the scenes, the attacker has captured the authenticated session cookie. They immediately import it into their own browser, bypassing the need for any further credentials. Corporate accounts are particularly targeted, as a compromised business email account enables subsequent invoice fraud, payroll redirect, or further phishing of colleagues.
Common red flags
- Login page URL contains the brand name as a subdomain of an unrecognised domain
- A login email arrives unsolicited for a service you were not actively using
- After logging in, you receive multiple MFA prompts in quick succession
- Your account shows login activity from an unrecognised location or device shortly after using a link
- Colleagues receive emails from your account that you did not send
How to protect yourself
- Use passkeys or FIDO2 hardware security keys, which are resistant to AiTM proxy attacks
- Always navigate to login pages by typing the URL directly, not through email links
- Enable account activity alerts so unexpected logins are flagged immediately
- Treat any unsolicited login request or MFA prompt as suspicious and verify through the official app or URL
- Enable conditional access policies in Microsoft 365 or Google Workspace to flag logins from new locations
How to report it
- Report the phishing email to your email provider and the impersonated service
- Report to your national CERT or cybercrime authority
- If a corporate account was compromised, engage your IT security team immediately and treat it as an incident
Frequently asked questions
Does MFA protect against AiTM attacks?
Standard push-based or OTP-based MFA does not protect against AiTM, because the attacker relays the authentication in real time and captures the post-MFA session cookie. FIDO2 passkeys are currently the most effective defence, as they are bound to the legitimate origin domain and cannot be relayed through a proxy.