For years, organizations have strengthened their security models around protecting credentials.
Stronger passwords, multi-factor authentication (MFA), Single Sign-On (SSO) and Zero Trust architectures became standard defenses against phishing and account takeover.
But attackers adapted. Today, some of the most dangerous phishing campaigns no longer focus on stealing passwords.
They focus on stealing something far more valuable: authenticated sessions.
This is the rise of Adversary-in-the-Middle (AiTM) phishing, a model that allows attackers to bypass MFA, hijack legitimate sessions and operate inside trusted environments without triggering immediate alerts.
For financial institutions, fintechs and enterprises operating in Microsoft 365 environments, this has become one of the most critical identity risks in modern fraud prevention.
What Is AiTM Phishing?
It is a phishing technique where the attacker places a malicious reverse proxy between the victim and the legitimate service, such as Microsoft 365, Google Workspace, Okta or banking portals.
Instead of simply stealing usernames and passwords, the attacker captures:
- valid credentials
- MFA approvals
- session cookies
- OAuth tokens
- persistent authentication tokens
This creates one of the most dangerous outcomes in cybersecurity:
- MFA is successfully completed, but the attacker still gains access.
- The criminal does not break MFA.
- The victim completes it voluntarily.
- What gets stolen is the authenticated session that follows.
Microsoft has identified AiTM as one of the most critical phishing models currently targeting enterprises.
Why AiTM Is Growing So Fast
As organizations strengthened passwords, MFA and SSO, attackers shifted their focus.
They stopped attacking credentials. They started attacking sessions.
At the same time, the rise of Phishing-as-a-Service (PhaaS) made sophisticated phishing infrastructure available to almost anyone. Today, attackers can rent complete AiTM phishing kits without advanced technical knowledge.
This has industrialized fraud and dramatically increased the scale of enterprise phishing campaigns.
The Most Dangerous AiTM Phishing Kits
Tycoon 2FA
One of the most advanced AiTM kits currently active.
It was specifically designed for:
- MFA bypass
- session cookie theft
- Microsoft 365 compromise
Business Email Compromise (BEC)
Microsoft reported that Tycoon 2FA was responsible for campaigns reaching more than 500,000 organizations per month globally, generating tens of millions of phishing messages.
Its scale became so significant that Microsoft, Europol and private sector partners coordinated infrastructure takedown efforts in 2026.
EvilProxy
One of the most widely used enterprise phishing kits.
Its main strengths include:
- reverse proxy phishing
- legitimate portal cloning
- session cookie theft
- highly targeted BEC campaigns
It is frequently linked to corporate email compromise and treasury fraud.
**Sneaky 2FA **
A rapidly growing kit that gained strong traction in 2025.
It specializes in:
- Microsoft 365 targeting
- MFA bypass
- Telegram-based PhaaS operations
- automated credential prefill using Microsoft features
Barracuda identified it as part of the accelerated growth of phishing-as-a-service operations.
What Organizations Must Do Next
- phishing-resistant MFA (FIDO2 / passkeys)
- browser integrity validation
- session monitoring
- token revocation playbooks
- suspicious inbox rule detection
- behavioral analytics
- device trust analysis
- contextual risk evaluation
- real-time transaction monitoring
The objective is no longer simply verifying who logged in.
It is continuously validating whether the session still belongs to the legitimate user.
AiTM is not a minor evolution of phishing.vIt represents a structural shift in how modern corporate fraud operates.
Stay Ahead of Fraud