MFA Is No Longer Enough — And I've Seen the Proof

Adversary-in-the-Middle (AiTM) phishing attacks bypass MFA by capturing authenticated session cookies after a user successfully completes multi-factor authentication. The attacker replays the stolen token to access Microsoft 365 without ever needing the MFA code themselves.

I've spent years in the cybersecurity space, and I'll be honest — there was a time when I felt confident telling clients that enforcing Multi-Factor Authentication was the single most impactful step they could take to protect their Microsoft 365 environments. That advice wasn't wrong then. But the threat landscape has shifted beneath our feet, and I think it's time we have a candid conversation about what's actually happening out there.

What is an AiTM phishing attack?

An Adversary-in-the-Middle (AiTM) attack deploys a live reverse proxy between the victim and the real Microsoft 365 login page. The user goes through the entire authentication process — password, MFA prompt, the works — and genuinely believes they've signed in securely. What they don't know is that every step passed through an attacker's server, which silently captured the authenticated session cookie the moment Microsoft issued it. The attacker then replays that cookie to log in as the victim. No MFA required.

How AiTM session hijacking works — step by step

1. User receives a convincing phishing email with a malicious link.

2. The link routes through an attacker-controlled reverse proxy that mirrors the real Microsoft 365 login page.

3. User enters credentials and completes MFA — legitimately.

4. Microsoft issues an authenticated session cookie. The proxy intercepts it in real time.

5. Attacker replays the stolen cookie to access the account — no MFA prompt triggered.

Why traditional security tools miss these attacks

What frustrates me professionally is how poorly equipped most traditional security stacks are to catch this. These attacks frequently use valid HTTPS certificates, mirror legitimate Microsoft branding, and generate activity that looks entirely normal to legacy SIEM tools. The authentication was legitimate — it was just intercepted. Basic email filtering doesn't block a real-looking proxy page. Standard MFA enforcement doesn't help once the session cookie has already been issued. Proofpoint's 2025 research identified eleven distinct AiTM phishing kits actively targeting Microsoft 365 and Google accounts globally — platforms like Tycoon 2FA that are sold as subscription services on Telegram, requiring minimal technical skill to deploy.

What happens after a Microsoft 365 account is compromised via AiTM?

Once attackers hold a valid session cookie, they gain persistent access to Exchange Online, SharePoint, OneDrive, and connected SaaS applications. Common follow-on activity includes internal phishing campaigns, Business Email Compromise (BEC), bulk data exfiltration, creation of new OAuth apps for persistent access, and in the most severe cases, ransomware deployment.

What actually stops an AiTM attack

Catching these attacks requires correlating signals that no single tool sees in isolation. A login from an unusual geography, paired with a mailbox rule created seconds later, combined with an OAuth application the user has never authorized, combined with a bulk SharePoint download at 2 AM — none of those events alone trips an alarm. Together, they paint a clear picture of compromise.

At XeneX SOC, the platform I operate on was built precisely for this threat environment. Rather than relying on isolated alerts, it continuously correlates identity telemetry, endpoint behavior, email events, network anomalies, and cloud authentication patterns in real time. When a compromised session surfaces — even after a valid MFA completion — behavioral indicators like impossible travel, abnormal token reuse, or unauthorized OAuth activity can trigger automated response within seconds: account suspension, active session revocation, administrator notification, all while a human analyst validates the finding to minimize disruption.

The bottom line: identity is the new perimeter

The uncomfortable truth I share with every CISO I meet is this — MFA is necessary, but it is no longer sufficient. Attackers have moved from breaking in to logging in, using stolen sessions and trusted identities rather than malware. Microsoft's own research confirms this shift is accelerating. The organizations that weather this threat will be those investing in continuous behavioral monitoring and AI-driven cross-correlation, not those checking the MFA box and moving on. The adversaries have already adapted. It's time our defenses do too.