You click a link, sign in, approve the MFA prompt, and get on with your day, completely unaware that someone else just logged into your account at the same moment. That situation surprises many businesses, especially those that rely on multi-factor authentication (MFA) to protect cloud accounts. But this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work. Instead of stealing passwords for later use, these attacks silently take over an already authenticated session in real time.
MFA remains a core security control, and setting it up correctly is still a critical first step for any business. But AiTM attacks take advantage of something MFA was never designed to protect. The trusted session that exists after authentication is complete.
How AiTM Attacks Actually Work
An AiTM phishing site is not a simple copy of a login page. It is designed to sit between you and the real login service. When you enter your information, it goes through the attacker first, then on to the real website. Every keystroke, redirect, and server response passes through the attacker in real time. From the user’s point of view, nothing looks unusual.
The page works just like the real service, with correct branding, normal redirects, and a working MFA prompt. In most cases, the only sign is a slightly altered URL that often goes unnoticed, especially on a mobile device or when someone is in a hurry.
Session Cookies
After you log in, the website gives your browser a small piece of data that keeps you signed in. This is often called a session cookie or session token. Think of it like a temporary pass that proves you have already logged in. Whoever has that pass can access the account without needing the password or MFA again.
If an attacker captures this session cookie, they can load it into their own browser and instantly take over the session. They do not need to log in. They simply continue where the real user left off, inside a fully trusted, already signed-in session.
What Happens After a Session Is Stolen
The impact of an AiTM attack is often quiet, which makes it especially dangerous. The attacker is working inside a legitimate, authenticated session. There are no failed MFA attempts, no obvious login alerts, and nothing in standard sign-in logs to raise concern.
Research from Proofpoint shows that attackers who gain access through session hijacking often create hidden inbox rules to redirect email, add new MFA methods to keep long-term access, monitor email conversations for financial activity, and use the trusted account to send phishing emails to coworkers or finance teams.
These follow-on actions are one reason AiTM attacks are often discovered late, sometimes after financial loss, data exposure, or broader network compromise has already started.
Stop Protecting Only the Login Screen
Want to review your identity security controls? Contact us or schedule a consultation to identify the gaps that matter most before an incident does it for you.
How does Wingman IT help protect you?
Our fully managed customers get DNS filtering and firewall products that help stop you from falling prey to these schemes. It stops your computer from connecting to know malicious (or brand new) websites before they an steal your data. If you’re not already signed up for our Fully Managed IT or Security+ programs ask us how we can better protect your business.