What Is AiTM and How Hackers Use It in Attacks

Adversary-in-the-Middle (AiTM) phishing is a technique that allows hackers to compromise accounts — even those protected by multi-factor authentication (MFA).

To understand AiTM, it helps to first look at how phishing traditionally worked.

How Phishing Used to Work

In the past, hackers relied on phishing by creating fake websites that looked like legitimate login pages, such as Microsoft 365. The goal was to trick users into entering their username and password. Once submitted, these credentials were sent directly to the hacker, who could then access the victim’s account if MFA was not enforced.

The New Method: AiTM Phishing

With MFA becoming the standard, hackers had to evolve. That's when they started using a more advanced technique called Adversary-in-the-Middle (AiTM) phishing. Instead of simply collecting usernames and passwords, AiTM attacks allow hackers to intercept real-time login sessions, bypassing MFA entirely. Here's how it works:

  1. Setting Up the Fake Login System

    The attacker sets up a phishing server that doesn’t just display a fake login page — it actively relays traffic between the user and the real Microsoft 365 login page.

  2. The Victim Visits the Phishing Page

    When the user clicks the phishing link, they see the real Microsoft 365 login page. They don’t realize that their login attempt is being relayed through the attacker’s server, which is monitoring everything in real time.

  3. User Logs in Normally

    The victim enters their username, password, and completes the MFA challenge (like entering an SMS code or using an authenticator app). To the user, everything seems perfectly normal.

  4. The Hacker Steals the Session Token

    Once the user successfully logs in, Microsoft 365 gives them a session token — a piece of information that allows them to stay signed in without needing to authenticate again. Since the hacker is in the middle of the connection, they can steal this session token along with the username and password.

  5. The Hacker Uses the Session Token to Bypass MFA

    The real trick: Once the hacker has the session token, they can use it to sign into the victim’s Microsoft 365 account without needing the username, password, or MFA approval. This bypasses MFA entirely, making it easier for the attacker to gain access to the account.

Coming Soon: How to Prevent AiTM Attacks

Multi-factor authentication (MFA) is no longer enough to fully protect your Microsoft 365 accounts. Our upcoming guide will teach you how to recognize AiTM phishing attempts, implement best practices, and safeguard your organization from modern cyberattacks.

Stay tuned for actionable steps on how to detect and prevent AiTM attacks.

© 2025. All rights reserved.