Adversary-in-the-middle phishing







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




"Adversary-in-the-middle" (AiTM) is a relatively recent technique where an attacker not only steal a victim's credentials, but also acts as a proxy between the victim and the legitimate service. This allows the attacker to bypass most multi-factor authentication (MFA) methods, and access the victim's account by stealing their session cookies.

Understanding Impact

Business Impact

Compromised employee accounts often lead to data leaks, data loss, and unauthorized access to your Azure or corporate Microsoft 365 resources. In particular, Business Email Compromise (BEC) is a common attacker goal that leverages compromised accounts.

Technical Impact

"Adversary-in-the-middle" (AiTM) allows an attacker to "bypass" most MFA methods, including TOTP, SMS, and Microsoft Authenticator. As the attacker acts as a proxy between the victim and the legitimate service, the attacker can steal the victim's session cookies and access the victim's account without having to provide a second factor.


In an AiTM scenario, the actual Azure AD sign-in is performed from the attacker's IP address. Consequently, you can use usual telemetry to identify unusual sign-in locations or characteristics, such as Azure AD sign-in logs and Azure AD Identity Protection.

To prevent AiTM attacks, you can enforce phishing-resistant MFA methods such as FIDO2. If you're using a mobile device management solution such as Microsoft Intune, you can also enforce the use of managed devices for authentication through a conditional access policy.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

azure documentation

Detecting and mitigating a multi-stage AiTM phishing and BEC campaign

azure documentation

Phishing-resistant MFA methods

azure documentation

Protect against AiTM/ MFA phishing attacks

Azure Sentinel rule: Possible AiTM phishing attempt

Did you find this article helpful?