A phishing method that places an attacker between the user and the real identity provider so the attacker can intercept or relay the authenticated session. It often preserves the user experience, which is why it can evade awareness and some detection paths while still producing usable session tokens.
Expanded Definition
Adversary-in-the-middle phishing is a relay attack that inserts an attacker between the user and the legitimate identity provider, so the victim completes a normal sign-in while the attacker captures the resulting session. In NHI and IAM contexts, the key risk is not only credential theft but also token theft, because the attacker can reuse an authenticated session without needing to reenter a password. This pattern is closely related to modern phishing kits that proxy login pages and preserve the real look and feel of the authentication flow. Public reporting on agentic and automated abuse patterns, including the MITRE ATLAS adversarial AI threat matrix, shows how attackers increasingly combine automation, social engineering, and session capture. Definitions vary across vendors on whether device-bound tokens and conditional access failures are part of the term itself or separate follow-on impacts, so precision matters. The most common misapplication is treating it as ordinary credential phishing, which occurs when defenders focus on password reuse instead of the intercepted authenticated session.
Examples and Use Cases
Implementing phishing resistance rigorously often introduces more user friction and more stringent access controls, requiring organisations to weigh sign-in convenience against session integrity and recovery complexity.
- A user signs into a cloud portal through a lookalike page, and the attacker proxies the real IdP in real time to steal the authenticated session cookie.
- A help desk reset flow is abused because the attacker can relay the login, then immediately pivot into admin tools before the token expires.
- A compromised contractor mailbox is used to send a polished login prompt that captures a fresh session from a privileged service operator.
- An incident review shows the initial password never left the victim, but the session token was replayed from a new device, defeating simple password reset.
- Guidance in the OWASP NHI Top 10 and the The 52 NHI breaches Report underscores how session theft can become an NHI control failure when service accounts or shared credentials are in play.
These scenarios are especially dangerous when sign-in telemetry looks legitimate, because the attack is designed to pass through normal identity checks while diverting the session under the attacker’s control.
Why It Matters in NHI Security
For NHI security, adversary-in-the-middle phishing is important because it can convert a single human login into downstream compromise of service accounts, API consoles, automation workflows, and delegated tool access. Once the attacker has a valid session, password rotation alone may not stop misuse if the token remains valid or if the session was already exchanged for longer-lived access. This is why teams investigating identity abuse should connect phishing analysis with secret governance, token lifetime, and privileged session monitoring, as described in Ultimate Guide to NHIs — Why NHI Security Matters Now and Top 10 NHI Issues. NHIMG reports that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which reinforces how often identity compromise becomes operational loss rather than a narrow login event. CISA advisories on credential theft and session hijacking further show that response must include token revocation, conditional access review, and privileged access containment. Organisations typically encounter the real impact only after an unusual admin action, suspicious token reuse, or a lateral movement alert, at which point adversary-in-the-middle phishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers NHI authentication abuse and session-token theft paths. |
| NIST SP 800-63 | AAL2 | Session replay risk maps to assurance and phishing-resistant authentication guidance. |
| NIST CSF 2.0 | PR.AA | Identity proofing and access enforcement are central to stopping relay-based phishing. |
Use phishing-resistant sign-in and revoke exposed sessions immediately after suspected relay attacks.
Related resources from NHI Mgmt Group
- Why do phishing-resistant methods still fail against man-in-the-middle attacks?
- Why do phishing-resistant credentials reduce man-in-the-middle risk?
- How should security teams stop adversary-in-the-middle attacks on MFA-protected accounts?
- Why do adversary-in-the-middle attacks still work when MFA is enabled?
