Session theft

Summary

The primary objective of modern phishing attacks is to steal and access an authenticated user session (via session token theft) on a target app. This allows the attacker to achieve their attack objectives within the app, or use the account as a staging platform to establish persistent access to the app, elevate privileges within the app, and move laterally to other apps — see the SaaS attacks matrix for more information.

Examples

• Example 1: How phishing kits are evolving with AitM — Evilginx demo
• Example 2: Analysis of NakedPages AitM kit — Part 1, Part 2
• Example 3: Scattered Spider use of AitM phishing — 1, 2
• Example 4: 2025 surge in Tycoon 2FA attacks
• Example 5: EvilProxy BEC attack results in redirecting large financial transaction
• Example 6: AitM attack on Mailchimp
• Example 7: AitM attack on Onfido