BIPI
BIPI

AiTM Phishing Walks Past Your MFA. Here Is What Actually Stops It.

Threat Intelligence

Adversary-in-the-middle phishing kits like Tycoon and EvilProxy are the dominant credential-theft pattern in 2026, and standard TOTP MFA does nothing against them. The fix is phishing-resistant authentication, not more user training.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 12, 2026 · 8 min read

#phishing#mfa#identity#detection-engineering

Most of the credential-theft incidents we have responded to in the last twelve months had MFA enabled on the compromised account. The user did not approve a fraudulent push. The TOTP code was not shared in plaintext. The account had a strong password and second-factor protection, and the attacker still walked in and stole the session. The vector, almost every time, was AiTM phishing.

Adversary-in-the-middle phishing is not new. What changed in 2025 and 2026 is that the kits became commodity. Tycoon 2FA, EvilProxy, Mamba, and a handful of newer entrants are sold on Telegram for under USD 300 per month, with hosting and templates included. Anyone who wants to phish your Microsoft 365 or Google Workspace tenant has the tooling. The defender posture has not kept pace.

78%
Of credential incidents we worked involved AiTM
$300
Monthly cost of a Tycoon kit subscription
0
TOTP codes that stop AiTM by themselves

What AiTM actually does

An AiTM kit is a reverse proxy that sits between the user and the real authentication endpoint. The user clicks a phishing link, lands on a page that looks identical to the Microsoft sign-in flow, types their email, password, and TOTP code. Every keystroke is forwarded to the legitimate Microsoft endpoint in real time. Microsoft sees a valid login, issues a session cookie, and the proxy steals that cookie before it ever reaches the user's browser.

From Microsoft's perspective the login looks legitimate. The IP geolocation might be off, but if the kit uses a residential proxy in the user's country, even that signal is gone. The user thinks they logged in, sees an error, and moves on with their day. The attacker now has a valid session token they can replay from anywhere.

Push-notification MFA, SMS, and TOTP all proxy cleanly. The kit just relays the second factor like it relays the password.

Why the standard advice does not work

When a CISO discovers AiTM has hit them, the first instinct is more user training. We have watched companies roll out three rounds of phishing simulations in six months and still get phished by AiTM. The reason is structural. The phishing page renders perfectly because it is the real page, proxied. Users have no visual signal to detect that anything is wrong. Asking them to be more vigilant is asking them to detect a server-side attack from the client side.

The other common reflex is to push number-matching MFA. Microsoft made this default in 2023. AiTM kits adapted within weeks. The kit displays the matching number on its own page, the user types it in, the kit forwards it to the real endpoint. Number-matching reduces accidental approval but does nothing against a proxy attack where the user is intentionally completing the flow.

What actually works

  1. Phishing-resistant authentication. FIDO2 security keys (Yubikey, Titan) and platform passkeys are cryptographically bound to the legitimate origin. The browser refuses to send the credential to a phishing domain, even if the user is willing. This is the only true fix.
  2. Conditional access policies that require compliant device. If session cookies can only be used from devices enrolled in your MDM, a stolen cookie from an attacker's machine fails to authenticate. Microsoft Entra and Google's Chrome Enterprise both support this.
  3. Session token binding. Newer Microsoft tenants can bind session tokens to specific devices via continuous access evaluation. A token issued to one device cannot be replayed elsewhere.
  4. Aggressive token lifetime reduction for high-privilege accounts. Default Microsoft refresh tokens last 90 days. For admins, drop that to 1 hour with continuous access evaluation enabled.
  5. Detection rules that flag impossible-velocity sign-ins, new-country sign-ins from privileged accounts, and OAuth app consent grants from non-admin users.

Detecting AiTM after the fact

If phishing-resistant auth is not yet rolled out, you are relying on detection. The good news is AiTM has fingerprints. The session cookie is replayed from a different IP than the original login, often within minutes. The user-agent strings are usually pristine but the JA3/JA4 TLS fingerprints differ from a real browser. Microsoft Defender for Cloud Apps and similar tools can flag the anomaly if you are paying attention.

We have seen the same pattern often enough that we now build a default detection: any sign-in followed within 30 minutes by a token usage from a different country, with the same session ID, gets a P1 alert. False positive rate is below 5 percent. The catches have included three confirmed AiTM compromises in the last quarter alone.

Closing

AiTM is the new normal for credential theft. The kits are cheap, the technique is mature, and the defenses most companies have rolled out do not address it. If your MFA story still ends at TOTP and push notifications, you are not protected. Phishing-resistant authentication is the only durable answer, and the longer that rollout is delayed, the more sessions get stolen in the meantime.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.