Watch for post-authentication behaviour that does not match the user’s normal pattern, such as new MFA device enrollment, inbox forwarding rule creation, impossible travel, unusual resource access, or a browser fingerprint change mid-session. Those signals show the attacker has moved beyond login and is using the authenticated state.
Why This Matters for Security Teams
An AiTM compromise is dangerous because the attacker is no longer trying to “log in” repeatedly. They inherit a valid session and can operate through the same browser, tenant, and trust relationships as the user. That means classic perimeter checks and one-time MFA success signals are insufficient. Current guidance suggests security teams should focus on post-authentication evidence, not just authentication outcome, and align detection with NIST Cybersecurity Framework 2.0 and identity assurance practices in The 52 NHI breaches Report.
That matters because session theft often leads to mailbox rule changes, token replay, privilege escalation, and data exfiltration before any password reset takes effect. The operational problem is that a compromised session can look “healthy” until the attacker does something the user would not normally do. In practice, many security teams encounter the compromise only after forwarding rules, OAuth grants, or unusual SaaS access have already been established, rather than through intentional session monitoring.
How It Works in Practice
Detection works best when telemetry is correlated across identity, endpoint, and application layers. A single indicator may be noisy, but a cluster of anomalies around the same session is strong evidence. Security teams should look for changes in browser fingerprint, device posture, IP geography, user agent, MFA state, and application behaviour within the same authenticated context. Microsoft-style conditional access logic is useful here, but the broader principle is behavioural baselining plus rapid containment, not a single vendor feature.
One practical pattern is to treat the session as suspect when the user authenticates normally but the next actions diverge sharply from historical behaviour. For example:
- New inbox forwarding, delegation, or OAuth consent appears immediately after sign-in.
- The same session begins accessing unusual resources, administrative panels, or download paths.
- Risky actions occur from a browser or device fingerprint that changes mid-session.
- Impossible travel or impossible device switching appears across consecutive requests.
This is consistent with lessons in Top 10 NHI Issues and with the attacker tradecraft described in Anthropic — first AI-orchestrated cyber espionage campaign report, where abuse is driven by post-access autonomy rather than repeated login attempts. For incident response, the fastest containment usually means revoking active sessions, invalidating refresh tokens, checking mailbox and app rules, and forcing reauthentication with stronger conditional checks. If the user was operating through a managed browser profile, a shared jump host, or a VPN with many tenants behind one exit node, those controls tend to break down because device and network signals stop being uniquely attributable.
Common Variations and Edge Cases
Tighter session monitoring often increases false positives and review overhead, requiring organisations to balance faster containment against analyst fatigue and user disruption. That tradeoff is especially visible in remote-first environments, VDI, and high-churn SaaS estates where device, IP, and browser signals legitimately change during a normal workday.
There is no universal standard for this yet, but current guidance suggests weighting multiple weak signals rather than blocking on one anomaly. A legitimate user may trigger a single “impossible travel” alert after a mobile handoff, while a compromised session typically accumulates several signals at once. This is where identity lifecycle discipline matters: NHI Lifecycle Management Guide helps frame how credentials, tokens, and active sessions should be inventoried, while Ultimate Guide to NHIs — Why NHI Security Matters Now explains why short-lived abuse can create outsized impact.
Another edge case is session theft that occurs after the attacker has also enrolled a new MFA method or added a trusted device. At that point, the compromise is no longer just a session problem, but an identity persistence problem. The best response is to assume the session is only one layer of the intrusion, then verify recovery steps include token revocation, device cleanup, conditional access review, and mailbox rule auditing. In mixed human and NHI environments, that distinction is often missed until the attacker has already established a durable foothold.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Session anomaly detection supports ongoing access control monitoring. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Compromised sessions often follow weak credential and token lifecycle handling. |
| NIST AI RMF | AI RMF supports governance for behavioural monitoring and response decisions. |
Shorten token TTLs, revoke active sessions fast, and audit NHI credential lifecycle controls.
