You click a link, type your password, tap approve on the multi-factor prompt, and get on with your morning. What you do not realize is that someone else just stepped into your account at the exact same moment.
For a lot of business owners, that sounds impossible. We were all told that multi-factor authentication (MFA) was the deadbolt that kept criminals out of our cloud accounts, and for years it mostly was. But a newer style of attack called Adversary-in-the-Middle (AiTM) phishing was built specifically to slip past it.
Here is the twist. These attacks are not after your password so they can use it later. They hijack the live session you just created, while you are still signed in. MFA is still worth having, and setting it up correctly remains one of the smartest things any business can do. AiTM simply goes after something MFA was never designed to protect: the trusted session that exists after you have already proven who you are.
Phishing Is Not About Your Password Anymore
Phishing is still the most common way attackers get a foot in the door, but what they want has changed. The old version collected usernames and passwords. The new version is after something far more useful right now: the authenticated session itself.
Researchers have watched a clear move toward stealing sessions and tokens, where the criminal intercepts the login as it is happening. Instead of reusing a stolen password, which MFA usually blocks, they wait for you to finish logging in successfully, then grab the proof that you already did.
The whole thing has gotten disturbingly easy to run. Ready-made phishing kits are now sold as a service, which means even a low-skill attacker can spin up a convincing campaign against Microsoft 365 or Google Workspace without writing a line of code.
How These Attacks Actually Pull It Off
The Fake Login Page That Works Perfectly
An AiTM phishing site is not a clumsy copy of a login screen. It is a live relay that sits quietly between you and the real service. Every character you type and every response the real server sends passes through the attacker’s system as it happens.
From where you sit, nothing seems off. The page looks right, the logo is correct, the redirects work, and the MFA prompt shows up exactly when you expect it. Often the only hint is a slightly wrong web address, the kind of thing nobody notices on a phone screen or when they are rushing between meetings.
Why Your MFA Waves Them Right Through
This is where a lot of comfortable assumptions fall apart. MFA protects the moment you sign in. It does not protect what happens after. Once you clear the MFA check, the service hands your browser a session cookie, and that cookie tells the application you are already verified. No more passwords, no more prompts. The system simply trusts whoever is holding that cookie.
AiTM attacks just wait for the cookie to appear, then take it. Microsoft reported a 146% jump in these attacks over the past year as criminals shifted their attention to accounts that already had MFA turned on. Most of that growth is fueled by those rent-a-kit phishing platforms that let almost anyone run a believable relay attack against the big cloud providers.
What a Session Cookie Really Is
Think about getting into Jazz Fest. You show your ID and your ticket at the gate once, and in return you get a wristband. After that, nobody checks your ID again. You just flash the wristband and walk through. A session cookie works the same way. It is the digital wristband your account hands out after you prove who you are, and from then on it is your free pass.
Now picture someone slipping that wristband off your arm without you noticing. That is session theft in a nutshell. The attacker copies your cookie into their own browser and picks up right where you left off, inside an account that is already fully trusted. They never log in and they never trip an alarm, because as far as the system can tell, you are simply still working.
What Happens Once They’re Inside
The unsettling part of an AiTM attack is how quiet it is afterward. The intruder is operating inside a legitimate, verified session, so there are no failed logins, no strange MFA prompts, and nothing in the usual sign-in records that screams trouble.
Research from Proofpoint shows attackers who get in this way tend to do the same handful of things: set up hidden inbox rules to quietly forward mail, register their own MFA method so they keep access later, watch email threads for money conversations, and use the trusted account to phish coworkers or the finance team. For a law firm or accounting practice across Greater New Orleans, that can mean a wire fraud attempt or a client data leak that nobody catches until the damage is done. That delay is exactly why these attacks so often surface late.
How to Lower Your Risk
MFA is still essential, and strong sign-in habits are the foundation everything else rests on. But cutting your AiTM risk means putting controls in place that reach beyond the login screen itself.
Move to Phishing-Resistant MFA
Methods like FIDO2 hardware keys and passkeys tie your login to a specific device and the real web address. A relay sitting in the middle simply cannot pass them along, because the whole thing breaks the instant the address is not the genuine one. The Canadian Centre for Cyber Security studied more than 100 of these campaigns aimed at Microsoft accounts and found that phishing-resistant MFA stopped session theft in cases where ordinary methods, including push notifications and one-time codes, did not.
Watch for the Quiet Signs After Login
Catching an AiTM compromise usually means paying attention to what happens once someone is already in: a new MFA method registered out of nowhere, inbox rules created at two in the morning, a login from a city your staff has never visited, or files being touched in odd ways. Your sign-in logs alone will not raise the flag, so someone needs to be watching the behavior that follows.
Teach Your Team to Check the Address Bar
A staff member who understands that a working MFA prompt on a slightly odd page can still be a trap is far more likely to stop, look at the address, and speak up before any harm is done. A short, plain-English walkthrough of what these fake pages look like in everyday Microsoft 365 use goes a long way.
Stop Guarding Only the Front Door
MFA is a starting line, not a finish line. The businesses that actually shrink their AiTM risk are the ones that understand how sessions, tokens, and digital trust really work, and then build protection around each of those layers instead of just the login box.
That is the kind of proactive, behind-the-scenes work we handle at Bourn Technology. We would rather find the gap in your identity controls and close it now than meet you on the worst day of your year, after a stolen session has already turned into a fraud claim or an awkward call to a client. If you want a clear-eyed look at how your accounts hold up against this kind of attack, let’s talk before it becomes a problem. Call us at (504) 262-1234 or email hello@go.bourntech.com and we will walk you through where you stand.
Common Questions About AiTM Attacks
What is an Adversary-in-the-Middle (AiTM) attack?
It is a phishing technique where the attacker uses a live relay to sit between you and the real login service, capturing your session the moment you finish signing in so they can steal the cookie that proves you are verified.
Can AiTM attacks bypass MFA?
Yes, though not by cracking it. The attack simply waits until your MFA succeeds, then takes the authenticated session, so no further verification is ever needed.
How can businesses reduce the risk of AiTM attacks?
Switching to phishing-resistant MFA like passkeys, watching for unusual activity after login, training staff to check web addresses, and tightening access rules all work together to bring the risk down.