Adversary-in-the-Middle Attacks that Target Microsoft 365
Summary:
Adversary-in-the-Middle attacks are an advanced evolution of man-in-the-middle techniques, exploiting weaknesses in credential-based security and legacy MFA systems by intercepting and relaying traffic between victims and legitimate services. Unlike standard phishing that only steals credentials, AiTM allows attackers to capture real-time session cookies, enabling them to bypass MFA prompts entirely and maintain persistent access. A notable example is the Tycoon 2FA phishing-as-a-service platform, which automates the deployment of realistic phishing pages that closely mimic Microsoft 365 login flows, including organization-specific Entra ID branding, tricking users into entering both passwords and MFA codes.
In April 2025, Proofpoint detected a significant spike in global AiTM campaigns leveraging Tycoon’s platform, targeting thousands of organizations across multiple sectors, including healthcare, finance, and education. These campaigns employed advanced evasion tactics such as invisible Unicode characters embedded in URLs, custom CAPTCHAs to defeat automation, and anti-debugging scripts to slow analysis and bypass traditional email security gateways.
The typical attack chain began with phishing emails containing links to a fake Microsoft 365 login page designed to appear identical to legitimate portals, often including the target’s organizational logos and colors. Once victims entered their credentials, the fake page prompted for MFA tokens, capturing them in real time alongside session cookies via a reverse proxy setup, allowing attackers to authenticate as the user without triggering additional MFA challenges. This session hijacking enabled attackers to access sensitive services, exfiltrate data, and establish persistent footholds within victim environments.
Security Officer Comments:
Notably, Proofpoint observed these attacks successfully bypassing the defenses of six other major email security vendors, including three recognized as Leaders in the 2024 Gartner Magic Quadrant, underscoring the sophistication and effectiveness of these campaigns. Proofpoint identified the use of “precision-validated phishing,” where attackers validate the user’s existence or activity before executing the attack, enhancing the likelihood of success while narrowing the target scope.
Suggested Corrections:
To safeguard against threats like the one described in this post, here’s what we recommend:
Link(s):
https://www.proofpoint.com/us/blog/...hishing-attacks-evolving-threat-microsoft-365
Adversary-in-the-Middle attacks are an advanced evolution of man-in-the-middle techniques, exploiting weaknesses in credential-based security and legacy MFA systems by intercepting and relaying traffic between victims and legitimate services. Unlike standard phishing that only steals credentials, AiTM allows attackers to capture real-time session cookies, enabling them to bypass MFA prompts entirely and maintain persistent access. A notable example is the Tycoon 2FA phishing-as-a-service platform, which automates the deployment of realistic phishing pages that closely mimic Microsoft 365 login flows, including organization-specific Entra ID branding, tricking users into entering both passwords and MFA codes.
In April 2025, Proofpoint detected a significant spike in global AiTM campaigns leveraging Tycoon’s platform, targeting thousands of organizations across multiple sectors, including healthcare, finance, and education. These campaigns employed advanced evasion tactics such as invisible Unicode characters embedded in URLs, custom CAPTCHAs to defeat automation, and anti-debugging scripts to slow analysis and bypass traditional email security gateways.
The typical attack chain began with phishing emails containing links to a fake Microsoft 365 login page designed to appear identical to legitimate portals, often including the target’s organizational logos and colors. Once victims entered their credentials, the fake page prompted for MFA tokens, capturing them in real time alongside session cookies via a reverse proxy setup, allowing attackers to authenticate as the user without triggering additional MFA challenges. This session hijacking enabled attackers to access sensitive services, exfiltrate data, and establish persistent footholds within victim environments.
Security Officer Comments:
Notably, Proofpoint observed these attacks successfully bypassing the defenses of six other major email security vendors, including three recognized as Leaders in the 2024 Gartner Magic Quadrant, underscoring the sophistication and effectiveness of these campaigns. Proofpoint identified the use of “precision-validated phishing,” where attackers validate the user’s existence or activity before executing the attack, enhancing the likelihood of success while narrowing the target scope.
Suggested Corrections:
To safeguard against threats like the one described in this post, here’s what we recommend:
- Use enhanced authentication methods. MFA remains a key defense, but it’s not foolproof. Consider implementing additional authentication methods, such as hardware tokens, like FIDO2. These methods are resistant to session cookie theft and are harder for attackers to bypass.
- Educate users. Training employees to recognize phishing emails is crucial. Users should learn how to carefully inspect URLs in email messages. And they should be taught to verify the authenticity of login pages, especially those with custom branding.
- Improve your email filtering. Advanced email security solutions can detect suspicious behavior. They can also identify the use of uncommon domains that are used, unusual sender information, and other indicators of a phishing attack.
- Get advanced threat detection. The use of advanced threat detection tools is critical for defending against AiTM and other identity-based attacks. These tools not only prevent attackers from stealing credentials, but they also stop them from moving laterally across your environment and escalating the privileges of stolen accounts.
Link(s):
https://www.proofpoint.com/us/blog/...hishing-attacks-evolving-threat-microsoft-365