Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Adversary-in-the-Middle (AiTM)

Overview

Adversary-in-the-Middle (AiTM) is a modern form of man‑in‑the‑middle attack where an attacker intercepts and often relays traffic between a user and a legitimate service to steal credentials, session cookies, or MFA tokens. In plain terms: the attacker sits between you and the real site, passing everything through so it looks normal, while secretly capturing what you send and receive.

What an AiTM Attack Involves

In an AiTM scenario, the attacker typically:

  • Sets up a proxy or fake front-end site that closely mimics a legitimate login page (for example, a cloud email or SSO portal).

  • Tricks victims—often via phishing links—into visiting this proxy instead of the real site.

  • Forwards the victim’s input (username, password, MFA code) to the real site in real time, then captures session cookies or tokens from the genuine response.

  • Uses those stolen tokens to bypass MFA and directly access the victim’s account until the session expires or is revoked.

How AiTM Differs from Classic MitM

While conceptually similar to man‑in‑the‑middle, AiTM has some distinct characteristics:

  • Focus on web and identity

    • Often targets browser-based logins for cloud services, SSO portals, and email rather than generic network traffic.

  • Session and token theft

    • The goal is frequently to steal authenticated session cookies or tokens, not just credentials.

  • MFA bypass

    • Because the attacker relays the entire login flow, including MFA, they can end up with a fully authenticated session even when MFA is enabled.

Common AiTM Techniques

Attackers often use:

  • Reverse-proxy phishing kits

    • Tools that dynamically mirror the real login experience in the browser while proxying traffic through attacker-controlled infrastructure.

  • Convincing phishing campaigns

    • Emails, SMS, or chats that link to the AiTM proxy with branded pages, valid-looking domains (often lookalike or abused legitimate services), and HTTPS certificates.

  • Real-time interaction

    • Attackers or automated kits respond fast enough to handle MFA prompts and push approvals during the victim’s login attempt.

What Attackers Can Do After AiTM Success

With stolen sessions or tokens, attackers may:

  • Access mailboxes and collaboration tools

    • Read emails, search for sensitive content, and impersonate the user in ongoing conversations.

  • Move laterally in cloud environments

    • Use SSO to reach additional apps where the user has access, including admin or financial systems.

  • Launch business email compromise (BEC)

    • Send convincing messages from the real account to initiate fraudulent payments or data exfiltration.

  • Plant further persistence

    • Create forwarding rules, app passwords, OAuth grants, or new access tokens to maintain access even after passwords change.

Key Protections (Plain-Language)

To reduce AiTM risk:

  • Use phishing-resistant MFA where possible

    • Prefer methods like FIDO2 security keys or platform authenticators that cryptographically bind to the real domain, making proxying much harder.

  • Harden identity and access policies

    • Enforce conditional access (device posture, location, risk-based controls), and require re‑authentication or step‑up MFA for sensitive actions.

  • Deploy robust email and web protection

    • Filter phishing emails, block known malicious or suspicious domains, and inspect links at click time where feasible.

  • Monitor for suspicious sessions and sign-ins

    • Watch for unusual sign-in locations, devices, or user agents following user logins, and for risky OAuth consents or new app registrations.

  • Educate users about modern phishing

    • Make clear that a lock icon and HTTPS are not enough, and teach users to verify URLs, use bookmarks, and be cautious with unexpected login prompts.