DIGITAL LIFE

AitM Attack: a modern and highly dangerous evolution of the classic MitM (man-in-the-middle)

The world of cybersecurity never sleeps, and threats evolve at a dizzying pace. If you thought traditional phishing was already a tremendous headache, get ready to meet an even more insidious and effective cyber threat.

We're talking about the AitM (Adversary-in-the-Middle) attack, a modern and highly dangerous evolution of the classic MitM (Man-in-the-Middle). Instead of simply cloning an old-fashioned login page, the cybercriminal literally places themselves in the middle of your real-time connection to a legitimate service.

What makes this scheme at least frightening is its incredible ability to bypass two-factor authentication (MFA). Attackers don't just want to discover your password; they want to hijack your validated session without you even realizing it.

How this silent assault works...In practice, in an AitM attack, the hacker sets up a malicious proxy server that acts as an invisible intermediary. When you click on a fraudulent link, your traffic begins to be routed through this server before reaching its final destination, such as your bank or corporate email.

From your side, everything seems perfectly normal. The page loads, the design is correct, and there's no great reason to be suspicious. However, as you enter your data, the attacker is forwarding this information to the real server, capturing everything that travels from one place to another.

The theft of your session and the MFA bypass...The true evil ingenuity of this attack is revealed in how it handles multi-factor authentication (MFA). When you enter your code received via SMS or generated in an app, the attacker passes this code directly to the real website.

As soon as the website validates the login and returns the precious session token (a cookie that tells your browser you are logged in), the attacker's server intercepts this token. With this key in hand, the hacker can access your account without needing passwords or new verification codes, assuming your digital identity.

Warning signs and courses of action...Although complex and invisible at first glance, these attacks leave some clues along the way. Most campaigns begin through fraudulent emails, suspicious SMS (Smishing), or even manipulated QR codes (Quishing) that throw you directly into the clutches of the proxy.

To avoid becoming the next victim, it is essential to keep an eye out for some technical and behavioral indicators. These are the main signs that you may be suffering from this type of attack:

URLs with suspicious patterns, small spelling errors, or strange subdomains that try to mimic the originals.

Security certificate warnings in your browser, indicating that the connection is not private.

Unexpected login requests, unusual delays during authentication, or repeated credential requests in the same session.

Unusual activity spikes recorded in account reports, such as sessions initiated from disparate geographical locations at the same time.

How can you keep your security intact...Defending against a threat that lives in the middle of your connection requires smarter tools than the attacker himself. The use of physical hardware security keys (such as FIDO2 or WebAuthn) is one of the most robust solutions, since the cryptographic process validates the real domain and blocks authentication if it detects the proxy in the middle.

Password managers remain excellent allies in this fight. Because they work based on the exact domain of the site, a manager simply refuses to automatically fill in your data if the URL address in the browser is not correct, cutting the attack off at the root.

To complement these defenses, reinforcing your arsenal with a comprehensive protection suite ends up being the most logical step. Surfshark, for example, offers tools that go far beyond a simple VPN connection to hide your IP. Thanks to antimalware features, the service actively blocks dangerous domains and phishing attempts before the page even loads. If you end up clicking on that fraudulent link that starts the AitM scheme, the platform blocks the connection at the source, ensuring that your data never falls into the wrong hands.

What is an AiTM attack? An Adversary-in-the-Middle (AiTM) attack is a phishing technique that uses a reverse proxy to intercept credentials and session tokens in real time. Unlike static phishing pages, AiTM actively relays traffic to the legitimate identity provider, allowing attackers to bypass multi-factor authentication (MFA) by capturing the authenticated session cookie.

The attack unfolds in three stages:

Luring and redirecting to a fake login. The attack begins with a phishing email designed to bypass standard filters and create a sense of urgency. Instead of a static attachment, the email contains a URL that directs the victim to the attacker's proxy server, rather than the legitimate service.

The reverse proxy steals credentials and session cookies. As soon as the user interacts with the fake website, the reverse proxy relays the entered information to the legitimate identity provider in real time. This "man-in-the-middle" position allows the attacker to capture not only the password, but also the multi-factor authentication (MFA) response and the resulting session cookie.

Account takeover and lateral movement. Possessing a valid session cookie, the attacker assumes the user's digital identity without triggering new multi-factor authentication (MFA) requests. This access is immediately exploited to establish persistence, such as creating mailbox rules to hide activities, or to perform lateral movements in critical systems, such as financial and cloud environments, for business email compromise (BEC) campaigns.

AiTM attacks vs. classic Man-in-the-Middle (MitM) attacks: What's the difference? Classic Man-in-the-Middle (MitM) attacks exploit network vulnerabilities to intercept data in transit secretly, usually by decrypting traffic on a compromised connection (such as a public Wi-Fi network). In contrast, an AiTM (Air-in-the-Middle) attack directly targets the login process to hijack an identity session. It completely bypasses the network layer by using a reverse proxy to deceive the user and gain access for the attacker.

mundophone