Darja Rihla

Tag: Session vs Credential

  • What Is AiTM Phishing and Why It Bypasses MFA

    What Is AiTM Phishing and Why It Bypasses MFA

    Introduction

    A user enters their password.
    They approve the MFA request.
    Everything looks normal.

    And yet the attacker logs in anyway.

    This is not a failure of the user.
    It is a failure of how identity security is designed.

    Adversary in the Middle phishing is one of the most effective attack techniques today because it does not break authentication. It operates inside it.

    If your organization relies on passwords and MFA alone, you are exposed.

    What Is AiTM Phishing

    AiTM phishing is an attack where the attacker places a proxy between the user and the real login service.

    The user believes they are logging into a legitimate platform such as Microsoft 365. In reality, their traffic is routed through an attacker-controlled proxy.

    This allows the attacker to capture:

    • Credentials
    • MFA responses
    • Session cookies and tokens

    The critical detail is this:

    The attacker does not need to break authentication.
    They capture the result of successful authentication.

    How AiTM Attacks Actually Work

    Step 1: Lure

    The attacker sends a phishing message that looks legitimate. This could be a document share, login request, or security alert.

    Step 2: Proxy

    The victim lands on a page that perfectly mirrors the real login page.
    This is not a static fake site. It is a live relay to the real service.

    Step 3: Credential Input

    The user enters their username and password.
    The proxy forwards these to the real service.

    Step 4: MFA Challenge

    The real service triggers MFA.
    The user approves it.

    Step 5: Token Issuance

    The identity provider issues:

    • Session cookies
    • Access tokens
    • Refresh tokens

    This is the moment where trust is granted.

    Step 6: Interception

    The proxy captures these tokens in real time.

    Step 7: Session Replay

    The attacker reuses the tokens to access the account.

    No password required
    No MFA required

    Image Block

    Image prompt:
    A dark minimal cybersecurity diagram showing a user connecting to a login server through a hidden proxy layer in the middle. Clean flow arrows from user to proxy to server. Highlight the interception point at token issuance. Dark blue and black background with subtle gold accents. No hacker clichés.

    Alt text:
    AiTM phishing proxy intercepting authentication session between user and server

    Caption:
    AiTM attacks intercept trust at the moment authentication succeeds

    Why MFA Fails Against AiTM

    MFA was designed to protect against credential theft.

    It works when:

    • A password is stolen
    • An attacker tries to log in separately

    It fails when:

    • The attacker is inside the login flow

    Once authentication succeeds, the system issues a session token.

    That token represents access.

    AiTM attacks target this exact moment.

    This is why MFA enabled is not a strong security guarantee.

    The Real Problem: Session Trust

    Modern identity systems such as Microsoft Entra ID rely on token-based authentication models. According to Microsoft Entra ID documentation, session tokens represent authenticated access and are reused across services.

    Industry guidance such as the OWASP Session Management Cheat Sheet shows how improper session handling increases the risk of session hijacking attacks.

    Modern identity systems rely on:

    • Single Sign On
    • OAuth and OpenID Connect
    • Token-based authentication

    Authentication is no longer a single event.
    It is the beginning of a session.

    After login, the system grants trust through tokens.

    These tokens:

    • Are often not bound to a device
    • Are rarely continuously validated
    • Can be reused if stolen

    This creates a gap between authentication and session ownership.

    AiTM phishing operates inside that gap.

    Session Theft vs Credential Theft

    AiTM phishing changes how we should think about identity attacks.

    Most organizations still think in terms of credentials.

    They ask: did the attacker get the password?

    Modern attacks ask a different question.

    Did the attacker get the session?

    Credential theft:

    • Password is stolen
    • MFA may still stop access

    Session theft:

    • Token is stolen
    • MFA already completed
    • Immediate access

    This is a completely different threat model that many organizations fail to understand.

    AiTM phishing proves that session security is now the primary attack surface.

    AiTM phishing identity attack surface showing session theft after MFA token issuance
    AiTM phishing intercepts the session after MFA, highlighting why session tokens are the real attack target

    Why This Attack Works

    AiTM is not just technical. It leverages human behavior.

    • Trust in familiar login pages
    • Routine approval of MFA requests
    • Authority of known brands
    • Real-time interaction without delay

    The user completes the attack themselves without noticing.

    Impact of AiTM Attacks

    Direct Impact

    • Account takeover
    • Access to email and files

    Operational Impact

    • Business Email Compromise
    • Invoice fraud
    • Internal phishing

    Strategic Impact

    • Privilege escalation
    • Tenant-wide compromise
    • Supply chain exposure

    One successful session can lead to a full attack chain.

    How to Reduce AiTM Risk

    You cannot fully eliminate AiTM. You can reduce exposure.

    Identity controls

    • Conditional Access policies
    • Device compliance enforcement
    • Location-based restrictions
    • Risk-based authentication

    Session controls

    • Short session lifetimes
    • Session binding to device or context
    • Continuous evaluation of sessions

    Strong authentication

    • Passkeys
    • Hardware security keys

    These methods are resistant to proxy-based attacks.

    User awareness

    • Focus on login flow manipulation
    • Avoid generic phishing training
    • How Cyber Attacks Happen
    • Phishing Attack Explained
    • Why MFA Does Not Stop Phishing
    • Session vs Credential Theft
    • Why Session Cookies Matter More Than Your Password

    CTA

    Identity Security Review

    AiTM phishing risk assessment for Microsoft 365 environments.

    If your organization uses Microsoft 365 or Entra ID, relying on MFA alone is not enough.

    We analyze:

    • Where session theft is possible
    • Where MFA creates false confidence
    • Where Conditional Access reduces real risk

    You get a clear and prioritized hardening plan based on real attack paths.

    Book an Identity Security Review

    Conclusion

    AiTM phishing works because it targets the gap between authentication and access.

    Not the password.
    Not the MFA code.

    The session.

    As long as systems treat authentication as a one-time event and trust as persistent, this attack will continue to work.

    Internal Linking Suggestions

    Pillar:

    Supporting:

  • Session vs Credential Theft: 7 Critical Differences That Expose a Hidden Security Risk (2026)

    Session vs Credential Theft: 7 Critical Differences That Expose a Hidden Security Risk (2026)

    Session vs credential theft is no longer a theoretical distinction. It is the defining shift in modern identity attacks.

    Most security teams still focus on protecting login.

    Strong passwords. MFA. Reset flows.

    But attackers have adapted.

    They no longer break in.
    They steal the trust issued after login.

    According to Microsoft’s Digital Defense Report, adversary-in-the-middle phishing attacks are rapidly increasing as attackers shift toward session token theft. Meanwhile, OWASP and MITRE ATT&CK confirm the same reality: once a session token is stolen, authentication no longer matters.

    This is where most defenses fail.

    The Trust Timeline Explained

    Every identity system follows the same structure:

    1. Authentication request
      User initiates login
    2. Verification
      Credentials and MFA validated
    3. Trust issuance
      Tokens and cookies are created
    4. Ongoing access
      System trusts the session
    5. Replay window
      Stolen tokens can be reused

    Key distinction:

    Credential theft attacks steps 1–2
    Session theft attacks steps 3–5

    Trust timeline showing the authentication flow from login and MFA to token issuance and where session theft occurs in session vs credential theft
    How digital trust is built during login and where attackers exploit the session after MFA is completed

    Extra variaties (voor verschillen

    Credential Theft vs Session Theft

    Credential theft targets login secrets:

    • Passwords
    • MFA codes
    • API keys
    • Stored browser credentials

    How it happens:

    • Phishing pages
    • Credential stuffing
    • Database breaches
    • Keyloggers
    • Credential dumping

    Real-world flow:

    1. Credentials stolen
    2. Login attempted
    3. MFA triggered
    4. Attack often blocked

    Key reality:

    Credential theft gives opportunity, not guaranteed access.

    Session Theft vs Credential Theft in Practice

    Session theft targets what happens after login:

    • Session cookies
    • Access tokens
    • Refresh tokens
    • SSO artifacts

    Once stolen, these allow full impersonation.

    How it happens:

    • AiTM phishing
    • Infostealer malware
    • Browser compromise
    • XSS attacks
    • Token replay

    Real-world flow:

    1. User logs in normally
    2. MFA succeeds
    3. Token issued
    4. Token captured
    5. Attacker reuses it
    6. Access granted

    No password needed
    No MFA needed

    Side-by-side comparison of credential theft vs session theft attack paths showing how MFA often blocks login attacks but session token replay bypasses MFA
    Clear difference between attacking the authentication phase (credential theft) and attacking the post-authentication phase (session theft). Session theft bypasses MFA because the token is stolen after successful login.

    How AiTM Connects Credential Theft and Session Theft

    Adversary-in-the-Middle attacks combine both layers.

    A reverse proxy sits between the victim and the real service:

    • Captures credentials during login
    • Captures tokens after login
    • Relays everything live

    Result:

    The attacker gets credentials and active session access.

    This is why MFA alone is no longer enough.

    👉 Related: AiTM Phishing Explained

    Credential Theft vs Session Theft Differences

    Target
    Credential Theft → login secrets
    Session Theft → session tokens

    Stage
    Credential Theft → pre-authentication
    Session Theft → post-authentication

    Goal
    Credential Theft → login attempt
    Session Theft → session reuse

    MFA Impact
    Credential Theft → often blocked
    Session Theft → bypassed

    Detection
    Credential Theft → visible login anomalies
    Session Theft → looks legitimate

    Persistence
    Credential Theft → until password reset
    Session Theft → until token expires

    Why Session Theft Is More Dangerous

    Attackers follow efficiency.

    As defenses improve:

    • Passwords get stronger
    • MFA adoption increases
    • Credential reuse decreases

    Attackers shift forward:

    From login to session.

    Today’s underground markets sell:

    • Live session cookies
    • Browser fingerprints
    • Authenticated sessions

    The attack surface has moved.

    The System Behind Session Theft

    Session theft exists because of system design:

    Identity providers
    Issue tokens after authentication

    Applications
    Trust tokens as identity

    Browsers
    Store tokens locally

    Security teams
    Measure login, not session

    Most dashboards show:

    • MFA enabled ✔️
    • Password strong ✔️

    But ignore:

    • token replay
    • session anomalies
    • device trust

    Defense Strategy for Session vs Credential Theft

    Defending the Login Layer

    • Strong passwords
    • Phishing-resistant MFA (passkeys)
    • Login anomaly detection
    • Credential stuffing protection

    Important but insufficient

    Defending the Session Layer

    Token Binding
    Tie tokens to devices

    Device Trust
    Allow only compliant endpoints

    Short Lifetimes
    Reduce replay window

    Session Monitoring
    Detect abnormal behavior

    Cookie Hardening
    Secure, HttpOnly, SameSite

    Endpoint Security
    Stop infostealers

    Real-World Scenarios

    Scenario A Credential Theft

    Phishing → login → MFA → blocked

    Scenario B Session Theft

    Proxy → MFA success → token stolen → access granted

    Same user
    Same MFA
    Different outcome

    Bottom Line

    Credential theft steals the ability to try.

    Session theft steals the proof that access was already granted.

    Once trust is issued, most systems stop asking questions.

    That is exactly where attackers operate.

    CTA Identity Security Upgrade

    If your organization relies on Microsoft 365 or Entra ID, you likely have blind spots in your session layer.

    Book an Identity Security Review:

    • AiTM exposure mapping
    • Token replay risk
    • Conditional Access gaps
    • Session lifecycle weaknesses

    Or download:

    Identity Hardening Checklist 2026
    Can your MFA survive session theft

    Internal Linking (Cluster)

    Pillar:
    How Cyber Attacks Happen

    Supporting:
    Phishing Attack Explained
    Why MFA Doesn’t Stop Phishing
    Why Session Cookies Matter More Than Your Password

    Next in this Series

    Next: Why Session Cookies Matter More Than Your Password

    This article will break down how cookies work, why they are a critical weak point, and how attackers exploit them in real environments.