TL;DR: Adversary-in-the-middle attacks use phishing plus proxy infrastructure to steal credentials and session cookies, letting attackers bypass MFA and reuse trusted sessions, according to 1Kosmos. The security gap is not only user susceptibility but also the assumption that authentication proves ongoing session legitimacy.
NHIMG editorial — based on content published by 1Kosmos: adversary-in-the-middle attacks and MFA bypass
Questions worth separating out
Q: How should security teams reduce the risk of adversary-in-the-middle phishing?
A: Security teams should prioritise phishing-resistant authentication, remove weak fallback login methods, and add device-aware conditional access.
Q: Why do AiTM attacks bypass MFA in practice?
A: They bypass MFA because the attacker completes the MFA challenge inside a proxy flow and then reuses the resulting authenticated session.
Q: What breaks when organisations rely on login success as proof of trust?
A: Trust breaks at the session layer.
Practitioner guidance
- Adopt phishing-resistant authentication for high-value users Move privileged users, finance teams, and cloud administrators to FIDO2 or WebAuthn first, then remove weaker fallback methods that can be abused in proxy-based phishing.
- Bind access decisions to device and session signals Use conditional access that checks device posture, browser context, and location, then deny or step up access when the session context changes unexpectedly.
- Shorten the lifespan of trusted sessions Apply tighter session timeouts and rapid token revocation so intercepted cookies lose value quickly after abnormal activity is detected.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step explanation of how an AiTM proxy captures both credentials and session cookies.
- The article's walkthrough of TLS, redirector pages, and why the victim still appears to authenticate normally.
- Specific prevention controls, including FIDO2, conditional access, monitoring, and auto-access revocation.
- The vendor's implementation context for passwordless authentication and identity proofing.
👉 Read 1Kosmos's analysis of adversary-in-the-middle phishing and MFA bypass →
AiTM phishing and MFA bypass: what IAM teams need to do?
Explore further
Session trust, not just credential secrecy, is the real failure mode in AiTM phishing. These attacks succeed because the programme treats a completed login as proof of continued legitimacy. Once the proxy captures the session cookie, the attacker no longer needs to win the authentication ceremony again. The implication is that IAM must evaluate session integrity as a first-class control surface, not only login success.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when an AiTM attack leads to account compromise?
A: Accountability usually sits with identity, security, and application owners together. Identity teams own the assurance method, security teams own detection and response, and application teams own session controls and access policies. If any of those layers is weak, the attacker can inherit the trusted session.
👉 Read our full editorial: Adversary-in-the-middle attacks expose MFA trust gaps