Session Hijacking Through AiTM Phishing

Getting your Trinity Audio player ready...

Most people assume that once multi-factor authentication (MFA) is enabled, their accounts are protected. In many cases, MFA does stop traditional credential theft. But modern phishing attacks have evolved far beyond simply stealing passwords. Today’s attackers are increasingly focused on something more valuable: active authenticated sessions.

Adversary-in-the-Middle (AiTM) attacks allow cybercriminals to intercept and hijack a user’s session in real time, often without triggering alerts or failed login warnings. Instead of defeating MFA directly, attackers exploit the trusted session that exists after authentication has already succeeded.

MFA remains a critical layer of protection and should absolutely be part of every organization’s security strategy. However, businesses also need to understand where MFA’s protection ends and where additional identity security controls become necessary.

Modern Phishing Is Targeting Sessions, Not Just Passwords

Phishing is still one of the most common entry points for cyberattacks, but the tactics behind it have changed significantly. Adversary-in-the-Middle attacks have become increasingly common in Microsoft 365 and cloud identity phishing campaigns.

Traditional phishing campaigns focused on harvesting usernames and passwords for later use. Modern phishing operations are designed to steal authenticated sessions immediately after login.

Security researchers continue to report a major increase in session-token theft attacks, where criminals intercept the authentication process as it happens in real time. Instead of attempting to bypass MFA directly, attackers simply wait for the user to complete the login process successfully, then steal the session token that proves authentication already occurred.

This technique has become far more accessible due to the growth of Phishing-as-a-Service (PhaaS) platforms. Tools like Evilginx and other reverse-proxy phishing kits now allow even low-skilled attackers to launch convincing AiTM campaigns targeting cloud platforms like Microsoft 365 and Google Workspace.

How Adversary-in-the-Middle Attacks Work

The phishing page looks completely legitimate

An AiTM phishing page is very different from the poorly designed fake login pages many users are trained to recognize. Instead of copying a login screen, attackers use a live reverse proxy that sits between the user and the legitimate authentication service.

Every keystroke, redirect, MFA prompt, and server response passes through the attacker’s infrastructure in real time. From the victim’s perspective, everything appears normal:

• Branding looks legitimate
• Redirects function properly
• MFA prompts work as expected
• Login completes successfully

In many cases, the only visible difference is a slightly altered URL, something users often overlook when checking email quickly on a mobile device or while multitasking.

Why MFA alone cannot stop AiTM attacks

This is where many organizations misunderstand how MFA protection actually works. MFA protects the authentication event itself, but it does not protect the trusted session that follows authentication.

Once a user successfully signs in and completes MFA, the application issues a session cookie that tells the service the user has already been verified. At that point:

• No password is required
• No MFA challenge is required
• The application simply trusts the session token

AiTM attacks are specifically designed to intercept and steal that session cookie after authentication succeeds. Microsoft reported a 146% increase in AiTM attacks over the past year as attackers continue shifting toward session theft techniques that target MFA-protected accounts.

How Adversary-in-the-Middle attacks hijack sessions

Session cookies function as bearer credentials. Whoever possesses the token effectively inherits the authenticated session. Once attackers steal the session cookie, they import it into their own browser and immediately resume the victim’s active session. This is commonly referred to as session replay.

The attacker never technically logs in themselves. Instead, they continue operating inside an already authenticated and trusted session, often without generating suspicious login activity or MFA alerts.

What Attackers Typically Do After Stealing a Session

One of the most dangerous aspects of AiTM attacks is how quietly they operate after compromise. Because attackers are working inside a legitimate authenticated session, traditional security monitoring may not detect anything unusual right away. There may be:

• No failed login attempts
• No suspicious MFA prompts
• No obvious authentication alerts

According to research from Proofpoint, attackers commonly use stolen sessions to:

• Create hidden inbox forwarding rules
• Register new MFA methods for persistence
• Monitor financial or executive email conversations
• Launch internal phishing attacks from trusted accounts
• Expand access deeper into the organization

Many organizations only discover the compromise after fraudulent payments, sensitive data exposure, or broader network compromise has already occurred.

How Businesses Can Reduce AiTM Risk

MFA should still be considered mandatory. But defending against modern session-based phishing attacks requires additional controls that go beyond the login screen.

Deploy phishing-resistant MFA

Phishing-resistant authentication methods like FIDO2 security keys and passkeys bind authentication directly to both the user’s device and the legitimate domain. Because of this, reverse proxies used in AiTM attacks cannot successfully relay authentication requests from fake websites.

The Canadian Centre for Cyber Security analyzed more than 100 AiTM campaigns targeting Microsoft Entra ID accounts and found that phishing-resistant MFA methods consistently blocked session theft attempts that bypassed traditional push notifications and one-time passcodes. Microsoft also recommends using phishing-resistant MFA methods like FIDO2 security keys and passkeys to help reduce session hijacking risks.

Strengthen conditional access and identity monitoring

Organizations should monitor for suspicious activity that occurs after login rather than relying solely on authentication alerts. Examples include:

• New MFA registrations
• Unusual mailbox rule creation
• Logins from unfamiliar regions
• Abnormal file access behavior
• Suspicious data downloads

AiTM attacks frequently evade traditional login monitoring because the authentication itself appears legitimate.

Train employees to recognize suspicious URLs

User awareness still plays an important role. Employees should understand that a functioning MFA prompt does not automatically mean a website is legitimate. Training users to carefully inspect URLs, especially during Microsoft 365 sign-ins or urgent requests, can significantly reduce the likelihood of session compromise.

Security Has to Extend Beyond the Login Page

MFA is no longer the finish line for identity protection. Modern phishing attacks are increasingly targeting the trust established after authentication succeeds. Businesses that effectively reduce AiTM risk focus on protecting the full identity lifecycle, including sessions, tokens, device trust, conditional access, and post-authentication monitoring.

If your organization has not reviewed its identity security controls recently, now is a good time to evaluate whether your current protections are built to handle modern session-based phishing attacks before an incident exposes the gaps. Contact Twintel today to learn more.