Josh Harvey
Technical Team Lead
Your multi-factor authentication isn't as safe as you think. Cybercriminals are now using Adversary-in-the-Middle attacks to bypass MFA and steal Microsoft 365 credentials in real time—and they're easier to execute than ever before.
Cybercriminals are always looking for new ways to bypass the security measures businesses rely on. Over the past year, one technique has become increasingly common in phishing campaigns: Adversary-in-the-Middle (AITM) attacks.
These attacks are specifically designed to slip past even strong defences, including multi-factor authentication (MFA). As your IT partner, we want you to understand what these attacks are, how they work, and most importantly, how we’re protecting you from them with the rollout of Check.
What are AITM attacks?
AITM attacks are a more advanced form of phishing.
Traditional phishing tricks users into entering their credentials on a fake login page. The attacker then steals those credentials and attempts to access the account later.
AITM attacks go a step further. The attacker places themselves directly into the login process. Imagine using your keycard and PIN to enter a secure building, and someone silently slips in behind you at the same time. That’s effectively what happens.
When you log in, the attacker captures your username, password, and even your MFA code in real time, then immediately uses them to access your account. Because the login is happening live, even well configured MFA can be bypassed.
How these attacks reach you
These attacks usually begin with convincing emails, such as fake Microsoft notifications, shared file alerts, or urgent password reset messages. Clicking the link takes you to a page that looks exactly like a legitimate Microsoft sign-in screen.
Behind the scenes, however, everything you enter is being relayed instantly to the attacker.
Because these pages look so familiar and professional, they’re easy to trust, even for people who are generally cautious and security-aware.
Why tools like Evilginx make this easier than ever
One reason AITM attacks are becoming more common is the availability of tools such as Evilginx.
Evilginx is a widely available phishing framework designed specifically to carry out AITM attacks. It doesn’t require advanced hacking skills to use. Attackers can set it up quickly using templates that closely mimic real Microsoft login pages.
This dramatically lowers the barrier to entry. In the past, attacks like this required specialist knowledge. Today, they can be launched by far less experienced attackers, at scale.
How AI has accelerated the threat
The rapid growth of AI technology has further fuelled this trend.
AI makes it easier for attackers to:
Generate highly convincing phishing emails at speed
Tailor messages to specific organisations or individuals
Remove spelling mistakes and obvious warning signs
Scale attacks across thousands of targets with minimal effort
The result is phishing campaigns that are more believable, more targeted, and harder to spot, increasing the success rate of AITM attacks.
What you can do to protect yourself
Awareness remains your first line of defence.
Pause if something feels off, such as an unexpected file, an unfamiliar login request, or a page that looks almost right. Check the web address carefully and don’t enter credentials unless you’re certain it’s legitimate.
We also strongly recommend ongoing security awareness training for all staff. It’s one of the most effective ways to reduce the risk of phishing attacks. You can read more in our security awareness training blog post:
https://www.metaeagle.co.uk/resources/security-awareness-training
Alongside training, modern businesses also need Identity Threat Detection and Response (ITDR).
ITDR focuses on monitoring identity activity across your environment to spot suspicious behaviour that traditional security tools may miss. This includes unusual sign-ins, impossible travel, session hijacking attempts, and behaviour that suggests credentials have been compromised.
If an attacker does succeed in capturing login details through an AITM attack, ITDR helps detect and respond quickly, limiting damage and reducing the chance of lateral movement or data loss. You can learn more about our ITDR approach here:
https://www.metaeagle.co.uk/services/identity-threat-detection-response-itdr
Together, awareness training, ITDR, and preventative tools form a layered defence that significantly reduces risk.
What Meta Eagle is doing: Check
Alongside training, we’re rolling out Check, a browser extension designed to detect fake Microsoft login pages, including those used in AITM attacks.
Here’s how it helps:
Automatic protection, Check runs quietly in the background
Visual confirmation, a small message appears when a page is a genuine Microsoft sign-in
Clear warnings, suspicious pages trigger a clear alert with guidance on what to do
Silent monitoring, our team is notified in the background so we can investigate and respond
There’s nothing extra for you to do, and no change to how you work, just an additional safety net protecting your accounts.
Staying ahead of cybercriminals
Cybersecurity isn’t a set and forget exercise. Attackers continue to evolve, and so must our defences.
By combining ongoing staff training with advanced tools like Check, we help ensure your business stays one step ahead of emerging threats such as AITM attacks.
If you’d like to learn more about how Check works, or want to refresh your team’s security awareness training, get in touch. We’re always here to help keep you safe.
