A phishing attack called Adversary-in-the-Middle (AitM) discovered

Phishing Cyberattack Adversary-in-the-Middle AitM Threat Advisory Cybersecurity BEC

Researchers from Microsoft disclosed the details of an extensive phishing operation that exclusively steals the passwords of its targets, which can also bypass MFA authentication. The new phishing strategy is called Adversary-in-the-Middle (AitM).

Subsequently, the threat actors use previously stolen credentials from past attacks to operate a BEC campaign against new targets.

Based on reports, the AitM phishing strategy involves the adversary launching a proxy server between the operator’s target user and the website they want to access.

This method could allow any malicious threat actor to intercept and grab the target’s session cookies and passwords. However, users should note that this attack does not constitute any mistake in MFA since the threat actors steal session cookies.

Therefore, the adversaries could get an authenticated irrespective sing-in method of its targets, which is not covered by the MFA security function.


Threat actors who utilised the AitM tactic have already targeted thousands of entities.


Recent reports show that attackers who have used the Adversary-in-the-Middle phishing campaign have targeted approximately 10,000 organisations since September last year.

The threat actors have impersonated the Microsoft Office online authentication page to target the users of Office 365. Moreover, the threat actors launched a web server that spoofs HTTP packets from the user to steal their session cookies.

This method allows the adversary to take what they need if the user accesses the threat actors’ impersonate a website.

Additionally, this phishing campaign is very convenient for the threat actors since they do not need to develop a phishing website to intercept session cookies from their targets.

The threat actors can then start executing payment fraud by authenticating the accounts to Outlook and accessing emails and files related to the fund. Furthermore, the malicious actors can delete the original phishing email from their target’s inbox to hide their initial access and avoid getting analysed by security researchers.

Cybercriminal strategies are rapidly adapting to every situation. This idea has been proven by the recent emergence of the AitM tactic that can bypass the MFA feature while stealing critical information such as session cookies and passwords.

About the author

Leave a Reply