Understanding Adversary-in-the-Middle (AiTM) Attacks

Multi-factor authentication (MFA) has long been considered a robust defense against credential theft, and Endpoint Detection and Response (EDR) systems are vital for real-time threat analysis. However, a sophisticated threat known as the Adversary-in-the-Middle (AiTM) attack has emerged, capable of bypassing both of these critical security layers. This technique represents a significant evolution in phishing, moving beyond static credential collection to active, real-time interception and manipulation of user communications.

How AiTM Attacks Operate

Traditional phishing campaigns typically aim to trick users into divulging their credentials on a malicious look-alike page. AiTM attacks, sometimes referred to as “pass-the-cookie” attacks, operate differently. Instead of simply collecting credentials, the attacker positions themselves as a proxy between the user and the legitimate service. When a user attempts to log in, the AiTM attacker intercepts the entire authentication process.

• Real-time Interception: The attacker’s proxy server sits between the user’s browser and the legitimate website. All traffic, including login attempts, MFA challenges, and subsequent session cookies, flows through the attacker’s controlled infrastructure.
• Credential Harvesting and Session Hijacking: As the user enters their username and password, the attacker captures them. Crucially, when the legitimate service sends an MFA challenge (e.g., a one-time code or push notification), the attacker’s proxy forwards it to the user. Once the user authenticates, the legitimate service issues a session cookie. The attacker immediately captures this active, authenticated session cookie.
• Bypassing MFA: Because the attacker is proxying the entire legitimate login flow, including the MFA challenge, they don’t need to defeat MFA in the traditional sense. The user himself completes the MFA challenge for the attacker. The attacker simply captures the subsequent authenticated session.
• Evading EDR: EDR systems often focus on detecting malicious executables, unusual process behavior, or unauthorized network connections originating from the endpoint. AiTM attacks, however, leverage legitimate user actions and valid session cookies. The initial “malware” is often just a sophisticated phishing email leading to a legitimate-looking proxy URL. The malicious activity occurs primarily at the network and application layer, making it harder for endpoint-centric EDR to flag as inherently malicious. While EDR might flag suspicious network connections to unknown domains, the attack’s effectiveness relies on deceiving the user regarding the legitimacy of the proxy.

The AiTM Attack Flow: A Technical Overview

An AiTM attack typically unfolds in several stages:

1. Initial Lure: The attacker sends a convincing phishing email, SMS, or instant message designed to entice the victim to click a link. This link points to the attacker’s controlled proxy server, not directly to the legitimate service.
2. Proxy Negotiation: When the victim clicks the link, their browser is redirected to the attacker’s proxy. This proxy then initiates a connection to the legitimate service (e.g., Office 365, Google Workspace, financial institution).
3. Credential Phishing & MFA Relay: The legitimate service presents its login page. The attacker’s proxy displays this legitimate page to the victim. The victim enters their username and password. The proxy captures these credentials and forwards them to the legitimate service. If MFA is enabled, the legitimate service sends an MFA challenge to the victim. The attacker’s proxy relays this challenge to the victim, and the victim completes it.
4. Session Cookie Interception: Once the victim successfully authenticates with the legitimate service (including MFA), the legitimate service issues an authenticated session cookie. The attacker’s proxy intercepts this cookie before it reaches the victim’s browser.
5. Session Replay/Hijacking: With the valid, authenticated session cookie in hand, the attacker can now use it to impersonate the victim to the legitimate service, bypassing any further MFA prompts. This allows them to access emails, cloud storage, financial accounts, and other sensitive information.

Notable AiTM Implementations and Tools

Several tools and frameworks facilitate AiTM attacks due to their effectiveness in relaying authentication and sessions.

• EvilProxy: A well-known phishing-as-a-service (PaaS) platform that employs AiTM capabilities, providing ready-to-use phishing kits that proxy traffic and steal session cookies.
• Modlishka: An open-source reverse proxy tool designed for phishing. It can intercept credentials and session tokens, making it a popular choice for researching and demonstrating AiTM attacks.
• AITMProxy: A concept and tool that specifically focuses on the adversarial proxying of traffic to bypass multi-factor authentication.

Remediation Actions and Mitigations Against AiTM Attacks

Defending against AiTM attacks requires a multi-layered approach that goes beyond traditional security measures. Since these attacks leverage legitimate authentication flows, the focus shifts to strengthening authentication protocols and improving user awareness.

• FIDO2/WebAuthn for Phishing-Resistant MFA: Hardware security keys based on FIDO2 (Fast Identity Online) and WebAuthn standards are the most effective defense. These technologies bind the authentication process to the specific origin (domain) of the legitimate service. Even if a user accesses a phishing site, the security key will detect that the origin does not match the legitimate service and refuse to authenticate. This makes session interception impossible for the attacker. Examples include YubiKey and Google Titan Security Key.
• Conditional Access Policies: Implement strict conditional access policies based on device compliance, location, IP address, and behavior. Unusual login patterns (e.g., impossible travel, unknown device, atypical IP range) should trigger re-authentication or block access, even if a valid session cookie is presented by an attacker.
• Enhanced Email Security & User Training: Aggressive email filtering for phishing attempts is crucial. Beyond technical controls, intensive and continuous security awareness training is paramount. Users must be educated about the risks of clicking suspicious links, verifying URLs, and reporting unusual login experiences. Emphasize examining the URL bar for the legitimate domain, even after MFA prompts.
• Browser Security Best Practices: Encourage and enforce the use of browsers with strong built-in phishing and malware protection. Browsers are becoming more adept at identifying and warning about malicious sites.
• Network Traffic Monitoring & Anomaly Detection: While EDR might not catch the AiTM attack itself, suspicious network connections to newly registered domains or unusual traffic patterns should be flagged and investigated by Security Information and Event Management (SIEM) or Network Detection and Response (NDR) solutions. Correlate login origins with physical locations.
• Identity Protection Services: Solutions that monitor for compromised credentials and impossible travel scenarios can help detect post-compromise activity, even if the initial session hijack bypassed MFA.

Conclusion

AiTM attacks represent a significant escalation in the sophistication of cyber threats. By actively relaying and intercepting live authentication sessions, they effectively neutralize the protective capabilities of traditional MFA and, by their nature, often fly under the radar of endpoint-centric EDR solutions. The move towards phishing-resistant MFA, specifically FIDO2/WebAuthn, combined with robust conditional access policies and continuous user education, is imperative for organizations to counter this evolved threat landscape.