How to Protect Yourself From Adversary-in-the-Middle Attacks

You use strong passwords, you have multi-factor authentication enabled on all your accounts, and you feel reasonably secure. Then one day you click a link in a convincing email, enter your credentials, complete your MFA challenge as usual — and an attacker silently captures your authenticated session and walks right into your account. This is an adversary-in-the-middle attack, and it is one of the fastest-growing threats in cybersecurity today.

What Is an Adversary-in-the-Middle Attack?

An adversary-in-the-middle (AitM) attack is an evolved form of the classic man-in-the-middle attack. Instead of simply eavesdropping on network traffic, the attacker positions a reverse proxy server between you and a legitimate service — like Microsoft 365, Google Workspace, or your bank. This proxy relays traffic in both directions in real time, so you see the real login page, enter your real credentials, and complete your real MFA challenge. But the proxy captures everything along the way, including the session cookie that proves you are authenticated.

Once the attacker has your session cookie, they can import it into their own browser and access your account without needing your password or MFA code again. The session token is the key to the kingdom, and AitM attacks are designed specifically to steal it.

How AitM Attacks Work Step by Step

1. The phishing lure: You receive a convincing email — perhaps a fake Microsoft security alert, a shared document notification, or a password expiration warning — containing a link to the attacker's proxy server.
2. The reverse proxy: The link takes you to a phishing domain that runs a reverse proxy. This proxy connects to the real login page (e.g., login.microsoftonline.com) and relays everything back to your browser. The page looks completely authentic because it is the real page, just served through the attacker's server.
3. You authenticate normally: You enter your username and password. The proxy forwards them to the real service. The service sends back an MFA challenge, the proxy relays it to you, and you complete it — whether it is a push notification, SMS code, or authenticator app code.
4. Session cookie theft: After you successfully authenticate, the legitimate service issues a session cookie. The proxy intercepts this cookie before passing it to your browser.
5. Account takeover: The attacker imports your stolen session cookie into their browser and now has full authenticated access to your account — without triggering any additional MFA prompts.

The Tools Attackers Use

AitM attacks have become alarmingly accessible thanks to commercial phishing toolkits:

• Evilginx: An open-source reverse proxy framework written in Go that intercepts TLS connections and rewrites every reference to the legitimate domain across HTML, JavaScript, CSS, headers, and cookies. Pre-built configuration files called "phishlets" exist for Microsoft 365, Google Workspace, Okta, Amazon, LinkedIn, and dozens of other services.
• EvilProxy: A commercial phishing-as-a-service (PhaaS) platform that provides a managed web interface for creating AitM campaigns, selecting targets, and retrieving stolen sessions — no technical expertise required.
• Modlishka and Muraena: Additional open-source reverse proxy tools that function similarly to Evilginx.

At least eleven major AitM phishing kits are currently circulating, and the barrier to entry is remarkably low. Criminals can rent PhaaS platforms for a few hundred dollars per month and launch sophisticated attacks against any organization.

Real-World Impact

AitM attacks have surged dramatically in recent years. Microsoft's Digital Defense Report documented a 146% increase in adversary-in-the-middle attacks in a single year. These attacks have been used to compromise corporate email accounts, initiate fraudulent wire transfers through business email compromise (BEC), steal sensitive documents, and pivot deeper into organizational networks.

In one widely reported campaign, attackers used an AitM phishing kit to target thousands of Microsoft 365 users, successfully stealing session tokens and then using compromised mailboxes to launch secondary BEC attacks against the victims' business partners — creating a chain of fraud that multiplied the damage.

How to Protect Yourself

1. Use Phishing-Resistant MFA

The single most effective defense against AitM attacks is to use FIDO2 security keys or passkeys instead of SMS codes, authenticator apps, or push notifications. FIDO2 authentication is cryptographically bound to the specific domain you are authenticating with. If you are on a phishing proxy at evil-domain.com instead of the real login.microsoftonline.com, the security key will refuse to sign the authentication request. The attack simply cannot work.

• Hardware security keys (like YubiKey or Google Titan) provide the strongest protection because credentials never leave the physical device
• Passkeys stored on your phone or computer offer similar domain-binding protection with greater convenience
• Many keys also support biometric or PIN verification before signing, adding another layer of protection

2. Inspect URLs Carefully Before Logging In

The URL is the one thing an AitM proxy cannot perfectly replicate. Before entering any credentials, carefully check the address bar for the exact legitimate domain. Watch for subtle misspellings, extra characters, or unfamiliar subdomains. Bookmark your most important login pages and always navigate to them directly rather than clicking links in emails.

3. Never Click Login Links in Emails

Virtually all AitM attacks begin with a phishing email containing a link. Make it a habit to never log in to any service by clicking a link in an email. Instead, open your browser, navigate to the service directly (or use a bookmark), and log in from there. If the email is legitimate, you will see the same notification or request after logging in.

4. Enable Conditional Access Policies

If you manage organizational security, implement conditional access policies that restrict authentication to compliant, managed devices. Token binding and device compliance checks can prevent an attacker from replaying a stolen session cookie on an unregistered device.

5. Monitor for Suspicious Session Activity

Watch for warning signs that a session token may have been stolen: logins from unfamiliar locations or IP addresses, multiple simultaneous sessions, or unexpected changes to account settings like email forwarding rules. Enable login notifications on your most important accounts so you are alerted immediately to unrecognized activity.

6. Keep Your Browser and OS Updated

Modern browsers are increasingly implementing protections against phishing, including enhanced phishing detection, stricter certificate validation, and warnings for suspicious domains. Keeping your software up to date ensures you benefit from the latest protections.

Reduce Your Attack Surface

AitM attacks often start with targeted phishing — and the more personal information about you that is publicly available, the more convincing those phishing emails can be. When attackers know your employer, your role, the services you use, and your email address, they can craft highly personalized lures that are difficult to distinguish from legitimate messages.

PrivacyOn helps reduce your exposure by automatically removing your personal information from over 100 data broker sites that make your data publicly available. With 24/7 monitoring for re-listings, dark web monitoring for compromised credentials, and family plans covering up to 5 people starting at $8.33/month, PrivacyOn makes it significantly harder for attackers to gather the information they need to target you with convincing AitM phishing campaigns.