AiTM Attacks on Microsoft 365 Overview Image
(Reading time: 4 - 7 minutes)
fab fa-facebook-f

For years, the standard security advice was simple: enable MFA and stolen passwords stop being a problem. That advice isn't wrong — MFA still blocks the vast majority of credential-based attacks. But a specific class of attack has emerged that doesn't need to defeat MFA at all. It waits for the user to complete the authentication successfully, then takes everything that came out of it.

The technique is called Adversary-in-the-Middle phishing — AiTM.

Microsoft tracked a 146% surge in these attacks over the past year. The numbers matter less than what they represent: a systematic shift away from credential theft toward session hijacking. If your organization runs Microsoft 365 and hasn't looked at this yet, it's worth doing before an incident report forces the conversation.

The Attack Isn't Breaking MFA. It's Working Around It.

Traditional phishing steals a username and password. With MFA enabled, that credential alone doesn't get the attacker in — there's still the second factor to deal with. AiTM takes a different approach entirely. MFA signals to monitor

The attacker sets up a phishing page that acts as a real-time reverse proxy between the victim and Microsoft's actual authentication servers. When a user clicks the phishing link and enters their credentials, those credentials aren't just captured — they're immediately relayed upstream to Microsoft. Microsoft responds with an MFA challenge. That challenge gets passed back to the victim. The victim approves it on their phone, as they normally would. Microsoft issues a session cookie. The attacker's proxy intercepts that cookie before it reaches the victim's browser.

The attacker just sat in the middle and waited. The user did all the work.

The resulting token unlocks everything tied to the tenant — Exchange, SharePoint, OneDrive, Teams, every federated app. No password prompt, no MFA challenge. Whatever the victim just authenticated to, the attacker now has access too.

The Scale in 2026

What turned AiTM from a boutique technique into a routine threat was its commoditization as a service. Sekoia.io identified eleven major AiTM phishing kits in active use. Tycoon 2FA gives technically unsophisticated attackers everything they need to run campaigns against M365 targets — infrastructure, convincing phishing pages, token harvesting, subscription model.

The tooling keeps evolving. Open-source frameworks like Evilginx3 demonstrate exactly how the reverse proxy mechanism works from the attacker's side. Understanding that perspective is useful for defenders: it makes clear why detection needs to happen after successful authentication, not before. 

A newer variant, device code phishing, doesn't even need a fake login page. Attackers abuse Microsoft's OAuth 2.0 Device Authorization Grant — the legitimate flow used for TVs and printers — to trick users into authorizing an attacker-controlled device. EvilTokens, a kit released in early 2026, automated this at scale. Huntress tracked more than 340 compromised organizations across five countries in three weeks. Then in April 2026, Kali365 arrived — a more polished PhaaS platform sold on Telegram for as little as $250 a month, offering AI-generated phishing lures, automated campaign templates, and real-time token capture. Security firms including Arctic Wolf and Proofpoint documented hundreds of attacks in April alone across manufacturing, education, government, insurance, financial services, and healthcare in North America and Europe. Every one of those victims was running MFA. On May 21, 2026, the FBI issued a public warning. The barrier to running these attacks is now a Telegram subscription. Real time phishing email

April 2026 made it concrete. Between the 14th and 16th, Microsoft Threat Intelligence documented a coordinated "code of conduct" campaign that hit more than 35,000 users across 13,000 organizations in 26 countries. Targets got emails appearing to come from internal HR or compliance teams, warning of a policy violation under investigation. They clicked, they signed in, MFA included, and their session tokens were gone. 92% of targets were in the United States.

What Happens After the Cookie Is Stolen

Token theft doesn't stop at reading emails. First thing an attacker does with a live M365 session: set up persistence.

Inbox rules get created silently — forward everything to an external address, or auto-delete messages containing words like "security," "suspicious," "password reset," or the attacker's own name. The victim keeps working, unaware. Some rules are so narrow they only filter messages from specific senders — the security team, IT helpdesk — so breach notifications never reach the compromised user.

From there the account becomes a launchpad. Emails from a legitimate internal address land differently than external phishing — the display name is real, the domain is real, the email thread history is real. Attackers use that trust to redirect payment instructions mid-conversation, impersonate executives on time-sensitive requests, or target finance teams with fraudulent wire approvals. The 2025 IBM data puts the average cost of a successful BEC attack at $4.67 million. That chain frequently starts with a single AiTM compromise.

In some campaigns the attacker registers a new MFA device under the compromised account within minutes of gaining the session cookie. At that point a forced password reset doesn't end the intrusion — their device is enrolled, their session is live, and they're back in before the victim has finished changing the password. Best practices for phishing defenses

Why Standard Defenses Fall Short

Default email security measures scan for malicious attachments and known-bad links. AiTM phishing pages don't carry either. The pages are clean, functional, often hosted on legitimate infrastructure — Microsoft's own services, Cloudflare, Google — to avoid link-reputation filtering. The email itself may contain no URL at all, routing through QR codes or redirectors that were clean at scan time.

Conditional Access policies based on IP or location help, but session tokens can be replayed from anywhere. Push notification MFA fatigue has been addressed by most organizations switching to number-matching. AiTM doesn't need to fatigue anyone — it relays the legitimate prompt the user was already going to approve.

What Actually Works

  • FIDO2 hardware keys and passkeys are the only control that fully stops the reverse-proxy variant. These methods bind authentication cryptographically to the legitimate domain — a phishing proxy can't relay what the FIDO2 key produced for microsoft.com because it won't match. If you implement one thing, make it FIDO2 on privileged and high-value accounts first.
  • Conditional Access with compliant device requirements is the most practical near-term control for organizations that can't deploy FIDO2 at scale immediately. Require Intune-enrolled devices to access M365 and a stolen token replayed from an attacker's unmanaged laptop fails the compliance check. Doesn't prevent the theft, but stops most post-compromise scenarios cold.
  • Token lifetime reduction in Entra ID shortens the attacker's window after a token is captured. Combined with Conditional Access, it significantly raises the operational cost of these attacks even when initial prevention fails.
  • Detection priority: unfamiliar device authentication followed immediately by inbox rule creation is the two-step signature of a successful AiTM compromise. Entra ID sign-in logs surface new device IDs; cross-reference with Exchange Online audit logs for rule creation events and you catch post-AiTM activity at the persistence phase, before BEC activity begins.

User training has a narrow but real role: teach users to pause before approving any MFA request they didn't personally initiate, especially under urgency. That habit catches commodity campaigns. Against targeted attacks, technical controls are what matter.

The Bigger Picture

CrowdStrike's 2026 Global Threat Report found 82% of detections were malware-free. Attackers aren't installing backdoors — they're logging in. AiTM is how they do it through MFA.

MFA is still worth having. It blocks most automated attacks and credential stuffing at scale. What it doesn't block is a reverse proxy that intercepts a session cookie after the user already authenticated. That gap doesn't close until FIDO2 or device compliance policies are in the picture.

Subscribe to our Behind the Shield Newsletter

For all the best internet best security trends, email threats and open source security news.

Subscribe to our Behind the Shield Newsletter