AiTM phishing attacks are on the rise: how to protect yourself

AiTM Phishing Attacks graphic - decorative

Adversary in The Middle phishing attacks have been around for a while. But now they’re on the rise in a big way. Responsible business owners need to know how to protect themselves.

This isn’t a minor threat. The consequences of this latest wave of phishing attacks include financial fraud, lost data, brand damage, potential consumer legal action, and worse.

Critically, Multi-Factor Authentication – that stalwart of good cybersecurity – might not be enough to protect you this time.

But there are ways to protect your business. Microsoft 365 can help mitigate it. The real solution though is a thorough, systematic approach to your cybersecurity.

Here is everything you need to know:

What is an Adversary in the Middle (AiTM) phishing attack?

In a phishing attack, a cybercriminal uses fake emails, texts, or phone calls to gain access to your computer or bank details. An AiTM (Adversary in the Middle) phishing attack is designed to penetrate one of the best defences against phishing – Multi-Factor Authentication (MFA).

AiTM involves an attacker “getting in the middle” of the MFA process. Here’s how it works:

  • When you sign in with MFA, you get what’s called a “session cookie”.
  • The session cookie is like a temporary pass card – with it, you don’t have to re-send your authentication for every single page you want to visit.
  • In an AiTM phishing attack, an attacker tries to steal your session cookie.

How do AiTM phishing attacks work?

The technical explanation of an AiTM phishing attack is pretty complicated. It goes something like this:

  1. The attackers create a proxy server.
  2. They likely purchase a very similar-looking domain name to yours (if your domain was “”, your attacker might purchase “”).
  3. They might also create a fake web page that looks like your website.
  4. A phishing email (maybe a legitimate-looking offer of sharing a file) prompts one of your team to log in.
  5. Your team member is then redirected to the attacker’s proxy server where they enter their MFA details and the attacker gets these and their session cookie.

If this works, your team member is probably none-the-wiser. Maybe they think the link was broken or something.

The attacker though, is in. They can use their access to target you, the rest of your team, and – most worryingly – your finance department.

Is MFA dead then?

This doesn’t mean MFA is any less important. If anything, AiTM being a thing is an indication of just how vital MFA is – simply because attackers have gone to such lengths to try to breach it.

Multi-Factor Authentication is a bedrock of good cybersecurity that is likely to remain for decades to come.

How to protect your business against AiTM attacks

1) Understand why MFA is so important

AiTM phishing essentially only exists because MFA is such an effective cybersecurity protection. Understanding what MFA is, how it works, and the protections it can provide is vital.

If you don’t have MFA in place, talk to your IT department or Managed Service Provider (MSP) about implementing it.

2) Know where AiTM gets around MFA

Unfortunately, no standard MFA method protects against AiTM. An SMS or phone call as an authentication factor, for instance, is no protection.

However, there are MFA methods based on hardware that can work. The simplest are to only allow successful logins if:

  • The device is marked as compliant
  • The location is trusted

This means the login attempt must be happening on a device your MSP or IT department has set up or in a location that is marked as trusted (though this can be challenging to set up).

3) Use Microsoft’s tools

Microsoft recognises the danger of AiTM phishing and has come up with some ways for its software to respond automatically if there’s a high confidence level that this is an attack.

Understanding the various licenses and systems your particular installation of Microsoft 365 has in place is very important here. The different options protect you in different ways. You might have some combination of:

  • Microsoft Defender for Endpoint
  • Microsoft 365 Defender
  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud Apps

Configuring these tools needs to be done by an expert. Speak with your MSP about it as soon as possible.

4) Revoke if danger detected

If a phishing attack is detected, your immediate response should ideally be to:

  1. Revoke the session cookies
  2. Reset passwords
  3. Check if the compromised user account made any changes to your MFA setup

5) More than anything else – be systematic

It’s always a mistake to consider your cybersecurity “done”. Cybercriminals are always looking for workarounds of the latest protections (as AiTM itself shows).

Simply ticking a couple of controls this time isn’t doing what’s necessary to protect your business in future.

Your IT department or MSP needs to put the right protection, detection, and response systems in place and make sure they’re regularly reviewed with the entire cybersecurity landscape in mind.

Want to discuss your current cybersecurity, risks, and the latest threats with an expert?

Dial A Geek has already helped nearly 1000 businesses in Bristol and beyond protect themselves and get the best out of their tech.

Set up a cost and commitment-free chat with Chief Geek Gildas Jones today.