AiTM phishing and MFA bypass: what IAM teams need to do

TL;DR: Adversary-in-the-middle attacks use phishing plus proxy infrastructure to steal credentials and session cookies, letting attackers bypass MFA and reuse trusted sessions, according to 1Kosmos. The security gap is not only user susceptibility but also the assumption that authentication proves ongoing session legitimacy.

NHIMG editorial — based on content published by 1Kosmos: adversary-in-the-middle attacks and MFA bypass

Questions worth separating out

Q: How should security teams reduce the risk of adversary-in-the-middle phishing?

A: Security teams should prioritise phishing-resistant authentication, remove weak fallback login methods, and add device-aware conditional access.

Q: Why do AiTM attacks bypass MFA in practice?

A: They bypass MFA because the attacker completes the MFA challenge inside a proxy flow and then reuses the resulting authenticated session.

Q: What breaks when organisations rely on login success as proof of trust?

A: Trust breaks at the session layer.

Practitioner guidance

• Adopt phishing-resistant authentication for high-value users Move privileged users, finance teams, and cloud administrators to FIDO2 or WebAuthn first, then remove weaker fallback methods that can be abused in proxy-based phishing.
• Bind access decisions to device and session signals Use conditional access that checks device posture, browser context, and location, then deny or step up access when the session context changes unexpectedly.
• Shorten the lifespan of trusted sessions Apply tighter session timeouts and rapid token revocation so intercepted cookies lose value quickly after abnormal activity is detected.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step explanation of how an AiTM proxy captures both credentials and session cookies.
• The article's walkthrough of TLS, redirector pages, and why the victim still appears to authenticate normally.
• Specific prevention controls, including FIDO2, conditional access, monitoring, and auto-access revocation.
• The vendor's implementation context for passwordless authentication and identity proofing.

👉 Read 1Kosmos's analysis of adversary-in-the-middle phishing and MFA bypass →

AiTM phishing and MFA bypass: what IAM teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →