You click a link, sign in, approve the MFA prompt, and get back to your day. Completely unaware that someone else just logged into your account at the same moment.
That’s not a hypothetical. It’s how Adversary-in-the-Middle (AiTM) phishing attacks work — and it’s why businesses that rely on standard MFA as their primary identity protection are carrying more risk than they realize.
MFA Doesn’t Protect What Happens After You Log In
Multi-factor authentication protects the login event. Once you successfully complete MFA, the service issues a session cookie — a token that tells the application you’ve already been verified. From that point forward, no password or MFA prompt is required. The system trusts whoever holds that cookie.
AiTM attacks target exactly that window.
An AiTM phishing site isn’t a basic replica of a login page. It’s a live reverse proxy. The attacker’s infrastructure sits between you and the real authentication service. Every keystroke, redirect, and server response passes through the attacker’s system in real time. From your perspective, nothing looks wrong — the page has correct branding, working redirects, and a functioning MFA prompt. In most cases the only giveaway is a slightly altered URL that goes unnoticed on a mobile screen.
Once you successfully complete MFA, the session cookie is issued. The attacker captures it. They import it into their own browser and immediately resume the session — no login, no MFA challenge. They’re inside a fully authenticated, fully trusted session.
Microsoft tracked a 146% rise in AiTM attacks over the past year, driven largely by Phishing-as-a-Service platforms that let even low-skill attackers run these campaigns at scale.
What Attackers Do Once They’re In
What makes AiTM compromise particularly dangerous is what comes after the session is stolen — and how quiet it tends to be.
The attacker is operating inside a legitimate authenticated session. There are no failed MFA attempts. No unusual login alerts. Nothing in standardl mail forwarding rules, suspicious access patterns, or changes to account settings shortly after authentication — provide the monitoring layer that catches AiTM activity before it leads to financial fraud.
**User awareness on URL verification.** Employees who understand that a working MFA prompt on an unfamiliar-looking URL is still a red flag are better positioned to pause before approving a prompt. A brief walkthrough of what AiTM lures look like in Microsoft 365 contexts — shared document notifications, payroll emails, meeting invitations — meaningfully reduces exposure.
The Bottom Line
MFA is a baseline, not a finish line. AiTM attacks don’t break MFA — they wait for it to succeed, then take over.
The businesses that reduce this risk are the ones that understand how sessions, tokens, and identity trust actually work, and build controls around each layer — not just the login screen.
If you want to review your identity security controls, we can walk through where your environment stands. That’s worth a conversation before an incident does it for you instead.