Attacker-in-the-Middle (AiTM) phishing

Summary

MFA-bypassing Attacker-in-the-Middle phishing kits are the standard choice for attackers today. These work by intercepting the authenticated session created when a victim enters their password and completes an MFA check. To do this, the phishing website simply passes messages between the user and the real website — hence “Attacker-in-the-Middle”.

Attackers are using both criminal platforms and commodity, publicly available kits like Evilginx.

There are a few different variations of AitM, including Browser-in-the-Middle (BitM), a technique using remote desktop technologies like VNC and RDP, where the victim is tricked into directly authenticating via the attacker’s browser.

Examples

• Example 1: How phishing kits are evolving with AitM — Evilginx demo
• Example 2: Analysis of NakedPages AitM kit — Part 1, Part 2
• Example 3: Scattered Spider use of AitM phishing — 1, 2
• Example 4: 2025 surge in Tycoon 2FA attacks
• Example 5: EvilProxy BEC attack results in redirecting large financial transaction
• Example 6: AitM attack on Mailchimp
• Example 7: AitM attack on Onfido