Adversary-in-the-middle attacks surged 146% in the past year according to Microsoft's Digital Defense Report. What is AiTM and why is it on the rise?

Cybercriminals have adapted their tactics to target not just passwords, but the very process used to verify someone’s identity online. Enter Adversary-in-the-Middle (AiTM) attacks. While the name may sound technical, the concept describes when an attacker inserts themselves into the communication between a user and a legitimate service, intercepting data and taking control of sessions without the victim realising.

How does an AiTM attack differ from classic MitM?

The term man-in-the-middle (MitM) has been around for many years in cybersecurity. A MitM attack traditionally places an attacker between two parties so they can eavesdrop or modify communications. What sets AiTM apart is the active interception of authentication flows, often at the point where users enter their login details. Instead of passively listening, the attacker participates in the authentication process itself, enabling them to capture session cookies or tokens used for maintaining logged-in access.

In other words, while standard MitM attacks might intercept general communications, AiTM specifically targets the moment of authentication and the exact point where identity is verified. This distinction makes AiTM attacks effective at bypassing mechanisms like multi-factor authentication (MFA).

How an AiTM attack works

AiTM attacks are designed to appear routine to the victim while giving attackers full control of the authentication process. Rather than stealing credentials in isolation, the attacker actively intermediates the login session in real time.

Initial deception

The attack begins with a phishing message crafted to look like a legitimate request from a trusted service or internal team. Messages often create urgency, prompting users to verify their account, resolve a security issue or access a document. The link does not lead to a static fake page, but to attacker-controlled infrastructure that sits between the user and the real service.

Intercepting the login flow

When the victim clicks the link, their browser is routed through a reverse proxy operated by the attacker. This proxy dynamically loads content from the genuine website, presenting what is effectively the real login page. Because the page behaves normally, the victim is unlikely to notice anything unusual.

Real-time credential capture

As the user enters their username and password, the proxy captures the credentials and forwards them immediately to the legitimate service. If multi-factor authentication is required, the proxy simply relays the challenge and response. Authentication completes successfully, giving the attacker visibility of the entire process without needing to defeat MFA directly.

Session token hijacking

Once authentication succeeds, the legitimate service issues session cookies or tokens to confirm access. The attacker intercepts these tokens as they pass through the proxy. With a valid session token, the attacker can create their own authenticated session without reusing the password or MFA, effectively assuming the user’s identity.

Persistence and exploitation

Using the stolen session, attackers can access email, cloud services and internal applications with minimal friction. They often move quickly to establish persistence by altering account settings, adding authentication methods or granting application permissions. Even if the user changes their password, the attacker may retain access until the session is revoked.

Common tools and techniques attackers use

AiTM attacks are supported by readily available tools and frameworks that make them easier to deploy at scale. Attackers commonly use reverse proxy kits such as Evilginx2, EvilProxy and others to automate certificate handling, page cloning and session capture. These kits simplify the process of standing up a realistic-looking proxy that can intercept authentication flows.

Some attackers also use network-level techniques such as DNS manipulation, ARP spoofing or compromising Wi-Fi networks to redirect traffic through their infrastructure. Advanced campaigns may even involve compromising service providers or using phishing-as-a-service models to host and manage phishing infrastructure on behalf of affiliates.

Why AiTM attacks are so effective

The strength of AiTM lies in its ability to bypass MFA protections that organisations depend on. Because the attacker relays authentication responses in real time and captures session tokens, simply having MFA enabled does not prevent compromise. Traditional defences such as firewalls, static password policies and basic email filtering are similarly ineffective against AiTM.

Detection can also be difficult. Since the victim often logs in successfully and MFA completes correctly, security logs may show a legitimate authentication. Unless there is sophisticated monitoring for unusual session patterns, device anomalies or impossible travel scenarios, the intrusion may go unnoticed.

Reducing AiTM risk with a layered security approach

Integrity360 helps organisations reduce the risk of AiTM attacks through a layered, intelligence-led approach. Managed Security Awareness services strengthen the human layer by helping users recognise phishing lures, suspicious login prompts and social engineering tactics that often initiate AiTM campaigns. By improving awareness and reinforcing secure behaviour, organisations can significantly reduce the likelihood of an attacker successfully placing themselves in the authentication flow.

At the identity layer, Managed Identity Security provides deeper visibility into how identities are being used and abused across cloud and on-premise environments. This includes monitoring for anomalous authentication behaviour, risky session activity, token misuse and unauthorised changes to identity configurations. These insights are critical for detecting AiTM-related compromise early, before attackers establish persistence or escalate access.

When attackers do get through, rapid detection and response becomes essential. Managed Detection and Response (MDR) enables continuous monitoring of identity, endpoint, cloud and network telemetry, allowing suspicious activity associated with AiTM attacks to be identified and contained quickly. This reduces dwell time and limits the opportunity for attackers to move laterally, exfiltrate data or deploy follow-on attacks.

Finally, CTEM as a Service supports organisations in understanding and reducing exposure across their evolving attack surface. By continuously identifying, prioritising and validating real-world exposures, CTEM helps ensure that identity weaknesses, misconfigurations and high-risk access paths exploited by AiTM attacks are addressed proactively rather than reactively.

AiTM attacks are not a passing trend. They are a reflection of how attackers are adapting to modern security controls. With the right combination of awareness, identity protection, detection capabilities and continuous exposure management, organisations can significantly reduce the likelihood and impact of these attacks. Integrity360 brings these capabilities together to help organisations secure identities, protect users and stay ahead of an increasingly identity-driven threat landscape.

If you need assistance tackling the AiTM threat, get in touch with our experts.