{"id":6518,"date":"2025-08-29T10:03:38","date_gmt":"2025-08-29T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/29\/how-adversary-in-the-middle-aitm-attack-bypasses-mfa-and-edr\/"},"modified":"2025-08-29T10:03:38","modified_gmt":"2025-08-29T10:03:38","slug":"how-adversary-in-the-middle-aitm-attack-bypasses-mfa-and-edr","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/29\/how-adversary-in-the-middle-aitm-attack-bypasses-mfa-and-edr\/","title":{"rendered":"How Adversary-In-The-Middle (AiTM) Attack Bypasses MFA and EDR?"},"content":{"rendered":"

How Adversary-In-The-Middle (AiTM) Attack Bypasses MFA and EDR?
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Adversary-in-the-Middle (AiTM) attacks are among the most sophisticated and dangerous phishing techniques in the modern cybersecurity landscape.<\/p>\n

Unlike traditional phishing attacks that merely collect static credentials, AiTM attacks actively intercept and manipulate communications between users and legitimate services in real-time, enabling attackers to bypass multi-factor authentication<\/a> (MFA) and evade endpoint detection and response (EDR)<\/a> systems.<\/p>\n

These attacks have surged in popularity as organizations increasingly adopt MFA protections, with Microsoft reporting that AiTM phishing campaigns have targeted over 10,000 organizations globally. <\/p>\n

The emergence of phishing-as-a-service <\/a>(PhaaS) platforms like Tycoon 2FA and Evilginx2 has industrialized these attacks, lowering the technical barrier for cybercriminals and making sophisticated AiTM capabilities accessible through subscription models starting at just $120.<\/p>\n

\n
\"AiTM
AiTM Attack Flow Process.<\/figcaption><\/figure>\n<\/div>\n

Introduction to AiTM Attacks<\/strong><\/h2>\n

Adversary-in-the-Middle attacks fundamentally differ from traditional man-in-the-middle<\/a> (MitM) attacks through their active manipulation and sophisticated orchestration of authentication processes. <\/p>\n

While traditional MitM attacks often focus on passive eavesdropping, AiTM attacks involve attackers positioning themselves as active intermediaries between victims and legitimate services, using reverse proxy servers to create seamless, real-time communication channels.<\/a><\/p>\n

The technical foundation of AiTM attacks<\/a> relies on reverse proxy architecture, where attackers deploy servers that act as intermediaries between victims and legitimate authentication portals. <\/p>\n

This approach allows attackers to present users with authentic-looking login pages that are actually legitimate pages served through the malicious proxy, making detection extremely difficult.<\/a><\/p>\n

Modern AiTM toolkits leverage sophisticated technologies, including WebSocket connections for real-time bidirectional communication, automated SSL certificate generation through services like Let\u2019s Encrypt, and advanced cloaking mechanisms using tokenized URLs to evade detection.<\/p>\n

When a victim attempts to access a service like Microsoft 365<\/a> or Gmail, the AiTM proxy intercepts the request, forwards it to the legitimate service, captures the response, and relays it back to the victim while simultaneously harvesting all authentication data in transit. <\/p>\n

The most prominent open-source AiTM frameworks include Evilginx2<\/a>, Muraena, and Modlishka, each offering unique capabilities for credential harvesting and session hijacking.<\/p>\n

These tools have evolved to include features such as multi-domain hosting, custom branding integration, and advanced evasion techniques that make them particularly effective against modern security measures.<\/p>\n

\n
\"AiTM
AiTM Attack Architecture.<\/figcaption><\/figure>\n<\/div>\n

\n<\/a>The Role of MFA in Modern Security<\/strong>
\n<\/h2>\n

Multi-factor authentication has become the cornerstone of modern cybersecurity strategies, with Microsoft blocking over 7,000 password attacks per second, representing a 75% year-over-year increase. <\/p>\n

MFA implementations typically require users to provide something they know (password), something they have (mobile device or hardware token), or something they are (biometric data). <\/p>\n

Traditional MFA methods include SMS codes, push notifications, authenticator apps generating time-based one-time passwords (TOTP), and hardware security keys.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n
MFA Method<\/th>\nAuthentication Factor<\/th>\nAdoption Rate<\/th>\nAiTM Vulnerability<\/th>\nTraditional Security Level<\/th>\nCommon Bypass Methods<\/th>\n<\/tr>\n<\/thead>\n
SMS Codes (SMS OTP)<\/td>\nSomething you have<\/td>\nHigh (60%+)<\/td>\nHigh \u2013 Easily intercepted<\/td>\nLow<\/td>\nSIM swapping, SS7 attacks<\/td>\n<\/tr>\n
Push Notifications<\/td>\nSomething you have<\/td>\nHigh (50%+)<\/td>\nHigh \u2013 Tokens stolen post-auth<\/td>\nMedium-High<\/td>\nPush fatigue, device compromise<\/td>\n<\/tr>\n
Authenticator Apps (TOTP)<\/td>\nSomething you have<\/td>\nMedium (35%+)<\/td>\nHigh \u2013 Codes relayed in real-time<\/td>\nHigh<\/td>\nDevice compromise, phishing<\/td>\n<\/tr>\n
Hardware Security Keys (FIDO2)<\/td>\nSomething you have<\/td>\nLow (15%+)<\/td>\nMedium \u2013 Session tokens still stolen<\/td>\nVery High<\/td>\nSession token theft (AiTM only)<\/td>\n<\/tr>\n
Voice Calls<\/td>\nSomething you have<\/td>\nMedium (25%+)<\/td>\nHigh \u2013 Codes intercepted<\/td>\nLow<\/td>\nVoice phishing, call forwarding<\/td>\n<\/tr>\n
Email OTP<\/td>\nSomething you have<\/td>\nMedium (30%+)<\/td>\nHigh \u2013 Easily intercepted<\/td>\nLow-Medium<\/td>\nEmail compromise, phishing<\/td>\n<\/tr>\n
Biometric Authentication<\/td>\nSomething you are<\/td>\nGrowing (20%+)<\/td>\nMedium \u2013 Session tokens stolen<\/td>\nVery High<\/td>\nSession token theft<\/td>\n<\/tr>\n
Certificate-based Authentication<\/td>\nSomething you have<\/td>\nLow (10%+)<\/td>\nMedium \u2013 Certificates bypassed<\/td>\nVery High<\/td>\nSession token theft, cert theft<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

<\/a>The security model of MFA relies on the assumption that compromising multiple authentication factors simultaneously is significantly more difficult than bypassing a single password. <\/p>\n

However, this assumption breaks down in the face of AiTM attacks, which don\u2019t need to compromise individual factors but instead exploit the trust relationship established after successful authentication. <\/p>\n

When users complete the MFA challenge through an AiTM proxy, they unknowingly provide attackers with both their credentials and the session tokens issued by the legitimate service.<\/a><\/p>\n

How AiTM Attack Bypasses MFA and EDR<\/strong><\/h2>\n

The MFA bypass mechanism in AiTM attacks operates through session token theft rather than authentication factor compromise. When victims interact with an AiTM phishing page, they complete the entire authentication process, including MFA challenges, but all communications pass through the attacker\u2019s proxy server.<\/p>\n

The proxy<\/a> forwards the user\u2019s credentials and MFA responses to the legitimate service, which then issues session cookies and authentication tokens back through the proxy. <\/p>\n

The attacker captures these tokens while allowing the authentication to complete successfully, creating a scenario where the victim believes they\u2019ve securely logged in while the attacker has gained persistent access to their account.<\/a><\/p>\n

Session tokens, particularly Primary Refresh Tokens (PRTs) in Microsoft environments, can provide extended access lasting 30 days or more if kept active. <\/p>\n

These tokens contain cryptographic proof of successful authentication and can be replayed by attackers to access accounts without triggering additional MFA challenges. <\/p>\n

The sophistication of modern AiTM kits like Tycoon 2FA<\/a> includes features for session token management, automatic token refresh, and persistence mechanisms that allow attackers to maintain access even after password changes.<\/a><\/p>\n

EDR evasion in AiTM attacks occurs through several mechanisms that exploit fundamental limitations in endpoint monitoring. Traditional EDR solutions focus on detecting malicious processes, file modifications, and network connections originating from the endpoint itself. <\/p>\n

However, AiTM attacks primarily occur server-side, where the malicious proxy operates independently of the victim\u2019s endpoint. The victim\u2019s device only interacts with what appears to be legitimate web traffic to authentic domains, making the malicious activity invisible to endpoint-based detection systems.<\/a><\/p>\n

Advanced AiTM campaigns employ sophisticated evasion techniques, including code obfuscation using Base64 encoding, dynamic code generation that alters signatures with each execution, and anti-debugging<\/a> mechanisms designed to frustrate automated analysis.<\/p>\n

These techniques specifically target the static and behavioral analysis capabilities of EDR systems. Additionally, attackers abuse legitimate services like CodeSandbox, Glitch, and Notion as redirect mechanisms, leveraging the trust these domains have with security systems to bypass URL filtering and reputation-based blocking.<\/a><\/p>\n

The use of living-off-the-land techniques further complicates EDR<\/a> detection, as AiTM attacks often rely on standard web protocols and legitimate authentication flows.<\/p>\n

Attackers may also implement EDR communication blocking techniques, using tools like Windows Filtering Platform (WFP) to prevent EDR agents from communicating with their cloud infrastructure, effectively blinding the security solution to ongoing malicious activities.<\/a><\/p>\n

Indicators of AiTM Attacks<\/strong><\/h2>\n

Authentication log analysis reveals several key indicators of AiTM activity, with impossible travel being among the most reliable signals. When attackers use stolen session tokens, they often authenticate from geographic locations that would be impossible for the legitimate user to reach within the observed timeframe. <\/p>\n

Microsoft\u2019s delayed logging can complicate this analysis, as some authentication events may take up to 20 hours to appear in audit logs, making real-time detection challenging.<\/p>\n

Multiple rapid sign-ins from different locations within short timeframes, particularly when accompanied by successful MFA completion, often indicate session token replay attacks.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Category<\/th>\nIndicator<\/th>\nDescription<\/th>\nMITRE_ATT&CK<\/th>\n<\/tr>\n<\/thead>\n
Authentication Logs<\/td>\nImpossible Travel<\/td>\nUser authentication from geographically impossible locations within short timeframes<\/td>\nT1078.004<\/td>\n<\/tr>\n
Authentication Logs<\/td>\nMultiple Rapid Sign-ins<\/td>\nMultiple successful authentications from different locations in rapid succession<\/td>\nT1078.004<\/td>\n<\/tr>\n
Authentication Logs<\/td>\nSession Token Anomalies<\/td>\nAuthentication without password entry or MFA prompts in logs<\/td>\nT1078.004<\/td>\n<\/tr>\n
Network Indicators<\/td>\nUnknown IP Addresses<\/td>\nSign-ins from previously unseen IP addresses or suspicious ASNs<\/td>\nT1557<\/td>\n<\/tr>\n
Network Indicators<\/td>\nSuspicious Domains<\/td>\nConnections to domains mimicking legitimate services or suspicious TLDs<\/td>\nT1557<\/td>\n<\/tr>\n
User Behavior<\/td>\nMailbox Rule Creation<\/td>\nCreation of inbox rules to hide or redirect emails, especially with random names<\/td>\nT1564.008<\/td>\n<\/tr>\n
User Behavior<\/td>\nEmail Forwarding Rules<\/td>\nNew forwarding rules redirecting emails to external addresses<\/td>\nT1114.003<\/td>\n<\/tr>\n
Email Indicators<\/td>\nPhishing Email Patterns<\/td>\nEmails from trusted senders with suspicious links or urgent language<\/td>\nT1566.002<\/td>\n<\/tr>\n
Email Indicators<\/td>\nLegitimate Service Abuse<\/td>\nAbuse of legitimate services like CodeSandbox, Glitch, or Notion for redirection<\/td>\nT1566.002<\/td>\n<\/tr>\n
Technical Artifacts<\/td>\nReverse Proxy Artifacts<\/td>\nWebSocket connections, specific HTTP headers, or proxy-related network signatures<\/td>\nT1557<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The evolution of AiTM attacks from simple credential harvesting to sophisticated, service-oriented attack platforms represents a fundamental shift in the threat landscape that requires equally sophisticated defense strategies. <\/p>\n

Organizations must recognize that traditional perimeter defenses and even MFA are insufficient against these advanced persistent threats, necessitating comprehensive security architectures that include behavioral analytics, session token protection, and continuous authentication mechanisms to counter this growing menace effectively.<\/p>\n

Find this Story Interesting! Follow us on\u00a0LinkedIn<\/a>\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n

<\/a><\/p>\n

The post How Adversary-In-The-Middle (AiTM) Attack Bypasses MFA and EDR?<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

How Adversary-In-The-Middle (AiTM) Attack Bypasses MFA and EDR? Adversary-in-the-Middle (AiTM) attacks are among the most sophisticated and dangerous phishing techniques in the modern cybersecurity landscape. Unlike traditional phishing attacks that merely collect static credentials, AiTM attacks actively intercept and manipulate communications between users and legitimate services in real-time, enabling attackers to bypass multi-factor authentication (MFA) […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1768,129,63,1499,705],"tags":[130],"class_list":["post-6518","post","type-post","status-publish","format-standard","hentry","category-aitm-attack","category-cyber-security","category-cyber-security-news","category-cybersecurity-research","category-edr","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6518"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6518"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6518\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}