Adversary-in-the-Middle MFA Bypass Techniques
KeenSafe Research | Threat Research | Identity Operations Series
Overview
The deployment of multi-factor authentication across enterprise environments has materially raised the cost of credential-only compromise. It has not, however, eliminated authenticated foothold as a primary adversary objective. Across the chains KeenSafe Research has analyzed during the current reporting window, MFA was nominally enforced in approximately 89 percent of phishing-initiated initial access events — and was bypassed in approximately 64 percent of those events. The dominant mechanism for bypass is the Adversary-in-the-Middle (AiTM) phishing technique.
This research article documents AiTM phishing tradecraft as it operates in 2026. It analyzes the technique's operational structure, the kit ecosystem that has industrialized its deployment, the detection challenges it produces, and the defensive countermeasures that meaningfully degrade its efficacy.
The intended audience includes identity security architects, detection engineers, SOC analysts, and senior security leaders responsible for MFA strategy. The article assumes familiarity with modern authentication flows (OAuth 2.0, OIDC, SAML), MFA implementations, and session management concepts.
1. Technique Overview
Adversary-in-the-Middle phishing — sometimes referenced as "transparent reverse proxy" phishing — operates by interposing an adversary-controlled proxy between the user and the legitimate authentication endpoint. The proxy forwards every authentication step to the legitimate service in real time, captures the resulting session material, and presents the user with the legitimate post-authentication experience.
The user's experience is indistinguishable from a successful legitimate login. The system's experience is a legitimate authenticated session, attributed to the legitimate user, from an unusual but not categorically anomalous source.
Mapped to MITRE ATT&CK:
- T1566.002 (Phishing: Spearphishing Link) — delivery of the lure
- T1557 (Adversary-in-the-Middle) — interposition of the proxy
- T1539 (Steal Web Session Cookie) — capture of the post-MFA session token
- T1550.004 (Use Alternate Authentication Material: Web Session Cookie) — replay of the captured session
- T1078.004 (Valid Accounts: Cloud Accounts) — subsequent operations under the captured identity
The technique categorically defeats every authentication mechanism that completes within the proxied session. MFA factors that produce a session cookie post-validation — Microsoft Authenticator push, SMS, TOTP, voice — are all captured equivalently.
Layered/provider components — service or auth-flow architecture.
2. Operational Anatomy
Stage 1 — Lure Delivery (T1566.002)
The lure is delivered through standard phishing channels: email, SMS, collaboration platform message, social media direct message. Modern AiTM lures are produced with generative AI assistance and exhibit:
- Contextually accurate references to the target's role, recent activity, or organizational context
- Linguistic and stylistic fidelity to legitimate business correspondence
- Domain names selected for plausibility against the impersonated service
- Sender authentication that passes superficial inspection
The lure directs the target to a controlled URL that hosts the AiTM proxy.
Stage 2 — Proxy Interposition (T1557)
The proxy presents the target with the legitimate authentication portal — typically Microsoft 365, Google Workspace, Okta, or another major identity provider. The proxy is a transparent reverse proxy: every request the user makes is forwarded to the legitimate service; every response is forwarded back. The user authenticates against what appears to be the legitimate portal.
Modern AiTM kits implement this proxy at high fidelity. JavaScript, CSS, dynamic content, and even subtle UI elements specific to the user's tenant configuration are forwarded transparently. The proxy is operationally indistinguishable from the legitimate service to all but technically sophisticated users inspecting URL bars or certificate details.
Stage 3 — MFA Capture
The user provides their credentials. The proxy forwards them to the legitimate service. The service initiates the MFA challenge. The user completes the MFA challenge (entering the code, approving the push notification, completing the FIDO2 ceremony where supported). The proxy forwards each step.
The legitimate service issues a session token reflecting successful MFA-authenticated authentication. The proxy captures this token before forwarding it to the user's browser.
Stage 4 — Session Replay (T1539, T1550.004)
The captured session token is replayed by the adversary. The adversary now holds an authenticated session as the target, from an arbitrary source, with no further authentication required. The session is valid until expiration or revocation.
Stage 5 — Operational Use (T1078.004, downstream)
The adversary uses the captured session for downstream chain progression. The remainder of the chain operates as documented in the Modern Identity Attack Chains research article — reconnaissance, credential acquisition, lateral movement, terminal action.
Pipeline of recurring checks: scan → exploit → report → retest.
3. The AiTM Kit Ecosystem
AiTM phishing has industrialized through a kit ecosystem that has matured substantially over the past several years.
Mature Open-Source and Commercial Kits
Several kit families have reached operational maturity:
- Evilginx and derivatives: the foundational open-source AiTM framework. Operates as a reverse proxy supporting templates ("phishlets") for specific target services.
- Modlishka: alternative open-source AiTM framework with different architectural choices.
- Muraena: another open-source AiTM tool with active development.
- EvilProxy: commercial AiTM-as-a-service offering, sold in criminal marketplaces with managed infrastructure.
- Tycoon 2FA: specialized kit targeting Microsoft 365 authentication.
- Sneaky 2FA: kit observed targeting major financial services tenants.
Specialization and Templating
Modern kits operate through templating. Phishlets — configuration files defining the proxy behavior for a specific target service — are developed and shared within the criminal ecosystem. Phishlets exist for Microsoft 365, Google Workspace, Okta, common SaaS platforms (Salesforce, ServiceNow, Workday), and financial services portals.
The templating model means that AiTM capability is deployable against any target service within hours of phishlet availability. The marginal cost of attacking a new target is low.
Managed AiTM Services
Commercial AiTM-as-a-service offerings have matured. Services provide:
- Managed proxy infrastructure with rapid domain rotation
- Phishlet libraries maintained against legitimate service changes
- Captured session credential delivery through marketplaces or direct sale
- Operational support for evasion of common defensive controls
These services lower the technical threshold for AiTM operations substantially. Operators with limited technical sophistication can execute AiTM campaigns through service procurement.
4. Detection Challenges
The Detection Asymmetry
AiTM phishing operates against detection at a structural asymmetry:
- From the user's perspective: authentication succeeds normally
- From the legitimate service's perspective: authentication succeeds from a particular source
- From the captured session's perspective: the session is legitimate, the user is real, the MFA was valid
The captured session, replayed by the adversary, presents to defensive controls as a legitimate authenticated session belonging to the legitimate user. The structural challenge is distinguishing the captured session from the user's own continued use.
Behavioral Indicators
Detection of AiTM-mediated compromise relies on behavioral indicators after the capture:
- Authentication from atypical geographic locations
- Authentication from atypical network sources (anonymizing proxies, residential proxy infrastructure)
- Behavioral patterns inconsistent with the user's baseline
- Token use across diverging IP addresses or user agents
- API call patterns inconsistent with normal user activity
Modern detection rules in mature identity providers (Microsoft Entra ID Identity Protection, Okta ThreatInsight, Google identity-aware proxy) include AiTM-specific signals. Empirical efficacy varies substantially across deployments.
Specific Detection Surfaces
The following detection surfaces produce meaningful AiTM signals:
- Sign-in risk evaluation: tenant-side risk evaluation that incorporates session anomaly signals
- Token claims analysis: examination of token claims for indicators of capture or replay
- Behavioral baselining: user-specific behavioral models that flag deviations
- Geographic anomaly detection: location inconsistencies between expected and observed authentication
- Concurrent session detection: multiple simultaneous sessions inconsistent with normal use
- Conditional Access in-session policies: policies that re-evaluate session state continuously
The Empirical Detection Gap
Across the corpus, empirical detection efficacy for AiTM-mediated chains averaged 42 percent at the initial access stage. The gap reflects detection rule tuning, log source ingestion, and the structural detection challenge described above.
Per-stage detection coverage & efficacy heatmap (telemetry vs. blind spots).
5. Defensive Countermeasures
Several countermeasures meaningfully degrade AiTM efficacy.
Phishing-Resistant Authentication
The single most effective countermeasure is the deployment of phishing-resistant authentication factors:
- FIDO2 / WebAuthn with attestation: the protocol's origin binding categorically defeats AiTM proxying. The authenticator validates the origin of the authentication request; a proxy presents a different origin than the legitimate service.
- Certificate-based authentication (CBA): where properly implemented with hardware-bound certificates, also categorically defeats AiTM.
- Smart card authentication: equivalent protection where deployed.
Adoption barriers — user experience, device support, deployment complexity — have historically slowed adoption. The barriers are reducing as platform support matures.
Session Binding
Session tokens can be bound to specific cryptographic context that limits their portability:
- Device-bound session tokens (DBSC and related proposals): emerging standards that bind session tokens to the device that originated them
- Client certificate-bound tokens: tokens that require presentation of a specific client certificate for use
- Token binding mechanisms: various other approaches limiting token portability
Where deployed, session binding meaningfully degrades the value of captured session tokens.
Continuous Access Evaluation
Continuous access evaluation (CAE) and related mechanisms revoke session tokens in response to risk signals:
- Sign-in risk elevation
- Geographic anomalies
- Behavioral deviations
- Administrative revocation
Mature CAE deployment compresses the window during which captured sessions remain usable.
Conditional Access Hardening
Conditional access policies can be configured to constrain the value of captured sessions:
- Device compliance requirements: policies requiring compliant device state, which captured sessions on adversary devices fail
- Network location restrictions: policies limiting access to defined network ranges
- Application-specific restrictions: policies limiting which applications can be accessed from which contexts
Each policy adds constraints that captured sessions may fail.
Detection-Layer Defenses
Detection-layer defenses include:
- Identity provider risk evaluation tuned aggressively
- Token usage anomaly detection
- Concurrent session detection
- Behavioral baselining for high-value identities
User-Layer Defenses
User-layer defenses include:
- Security awareness training that addresses AiTM specifically (with limited expected efficacy)
- Browser-based protections (URL inspection, content security policy)
- Password manager domain matching (which legitimate AiTM proxies typically defeat, but which catches lower-sophistication operations)
Layered defense bands from preventive controls down to recovery.
6. TTP Chain Example
A representative AiTM-initiated chain observed in the corpus:
| Stage | Technique | Action |
|---|---|---|
| 1 | T1566.002 | Phishing email referencing a recent industry conference |
| 2 | T1557 | Lookalike Microsoft 365 portal hosted on adversary-controlled domain |
| 3 | T1539 | Post-MFA session token captured |
| 4 | T1550.004 | Token replayed from adversary infrastructure |
| 5 | T1087.004 | Tenant enumeration via Microsoft Graph |
| 6 | T1552.001 | Embedded credentials discovered in SharePoint operational documentation |
| 7 | T1078.004 | Service principal authentication using discovered credentials |
| 8 | T1098.001 | Additional credentials added to service principal for persistence |
| 9 | T1213 | Data access to customer master records |
The chain composed nine techniques, traversed two domains (Microsoft 365 and Azure), and reached crown-jewel data. The initial access stage — AiTM — was not detected by the customer's SOC; the chain was surfaced through KeenSafe continuous validation against the same exposure conditions.
Linear kill-chain sequence with MITRE ATT&CK tactic tags per stage.
7. Enterprise Implications
MFA Investment is Necessary but Insufficient
Enterprises that have invested heavily in MFA deployment have raised the cost of credential-only compromise but have not eliminated authenticated foothold as an adversary capability. The defensive investment must extend beyond MFA enrollment to MFA bypass mitigation.
Phishing-Resistant Authentication is the Strategic Direction
The strategic direction for identity protection is phishing-resistant authentication. FIDO2/WebAuthn deployment for privileged identities is operationally tractable today and is the highest-leverage investment in MFA hardening.
Session Binding Investment Compounds Defensibility
Session binding mechanisms, where available, compound MFA value by limiting captured session token portability. The investment is increasingly available across major identity providers.
Conditional Access Hardening is the Operational Middle Ground
For enterprises that cannot yet deploy phishing-resistant authentication broadly, aggressive conditional access policy hardening — device compliance requirements, network restrictions, application-specific policies — provides the operational middle ground.
Detection Engineering Reprioritization
Detection engineering investment should reflect the actual detection landscape. Token replay detection, session anomaly detection, and post-MFA behavioral analysis produce higher marginal returns than pre-MFA detection content.
Identity Reconnaissance Detection is the Highest-Leverage Stage
Across the chains analyzed, identity reconnaissance is the most consistently underdetected stage. Investment in detection content for T1087, T1069, and T1526 family techniques substantially improves chain interruption rates.
8. Strategic Insights
Insight 1: MFA bypass is the operational baseline, not the exception. Strategic planning should assume MFA will be bypassed in a significant fraction of phishing-targeted operations.
Insight 2: AiTM is industrialized commodity capability. The threat model should not treat AiTM as advanced; it is operationally available to mid-tier criminal operators.
Insight 3: Phishing-resistant authentication is the only categorical defeat. Phishing-resistant authentication is the only countermeasure that categorically defeats AiTM rather than degrading its efficacy.
Insight 4: Session binding is a high-leverage emerging investment. Session binding mechanisms are maturing rapidly. Early adoption is strategically valuable.
Insight 5: Continuous validation surfaces AiTM-mediated chains. Periodic validation systematically underweights AiTM-mediated chains because they do not produce traditional detection artifacts. Continuous validation that includes behavioral baseline modeling is the operational complement.
2×2 strategic framework / accountability landscape.
Conclusion
Adversary-in-the-Middle phishing is the dominant MFA bypass technique in 2026. It has industrialized through a mature kit ecosystem and is operationally available across the criminal threat actor landscape. It defeats every authentication mechanism that completes within a proxiable session, including most widely deployed MFA factors.
The defensive response operates across multiple layers: phishing-resistant authentication for the strategic direction, session binding for emerging defense, conditional access hardening for operational middle ground, detection engineering for post-capture interruption, and continuous validation for chain visibility. No single layer suffices; the combination produces meaningful AiTM defensibility.
KeenSafe Research will continue to publish updated intelligence on MFA bypass evolution. Companion research in this series addresses adjacent topics: OAuth abuse and SaaS persistence, modern identity attack chains, lateral movement patterns, and the broader identity governance landscape.
KeenSafe Research is the threat intelligence and offensive security research arm of KeenSafe, an AI-powered attack path validation platform for continuous offensive security validation across hybrid enterprise infrastructure.
Headline research statistics + key takeaway from a corpus analysis.