See How Easy Phishing Really Is
AitM (Adversary-in-the-Middle) attacks can position themselves in front of any website and intercept credentials and session cookies - even with multi-factor authentication enabled. Check for yourself whether your website detects the technique or loads normally.
You will be redirected to a proxied version of the website. No data is stored.
The Scale of the Threat
of data breaches start with phishing
MFA methods are vulnerable to AitM
of AitM attacks use proxy-based kits in 2025
of session compromises prevented by phishing-resistant MFA
Threat actors have almost entirely shifted from traditional AitM phishing campaigns to proxy-based AitM phishing campaigns.
— Canadian Centre for Cyber Security (CCCS), 2025
01
What is an AitM Attack?
In an Adversary-in-the-Middle (AitM) attack, an attacker positions themselves between you and the real website. You see the real site - but everything flows through the attacker.
Attacker sets up a proxy
The attacker registers a domain similar to the real website and routes all traffic through their server to the real website.
Victim visits the phishing link
The victim clicks a link to the proxy and sees the real website - fully functional because it's being mirrored from the original in real-time.
Attacker captures everything
When the victim logs in on the site, credentials, MFA codes, and session cookies flow through the attacker's proxy. With the captured session cookies, the attacker can take over the authenticated session on the real website.
Even MFA doesn't protect - the attacker captures the session after authentication.
02
Why Should You Care?
Bypasses MFA
Traditional multi-factor authentication (SMS, TOTP) does not protect against AitM attacks because tokens are relayed in real-time and the session can be taken over by the attacker after MFA authentication.
Looks Identical
The phishing page isn't a copy - it shows the real website through a proxy. Pixel for pixel identical.
Captures Session Tokens
The attacker doesn't just get passwords - they capture authenticated session cookies for immediate access.
Works Against Any Website
Any website without phishing-resistant authentication is vulnerable - webmail, cloud services, banks, everything.
Traditional Phishing vs. AitM
| Traditional Phishing | AitM Attack | |
|---|---|---|
| Page Shown | Static fake copy | Real site via proxy |
| MFA Bypass | No | Yes - tokens in real-time |
| Detection | URL looks suspicious | URL looks similar |
| Session Theft | Credentials only | Full authenticated session |
03
How to Protect Yourself
Check the URL carefully
Always verify the full domain in the address bar. AitM phishing domains often closely resemble the real domain.
Use hardware security keys or other phishing-resistant MFA
FIDO2 keys like YubiKeys are bound to the real domain and won't work on phishing sites. Passkeys are also an option. This is the most effective defense against AitM.
For developers: Implement phishing-resistant MFA and build proxy detection
Use phishing-resistant authentication like FIDO2/WebAuthn or Passkeys - these are cryptographically bound to the real domain and don't work through a proxy. Additionally, embed obfuscated code that checks whether document.location matches your domain. Watch for unusual login locations, IP addresses, or devices. Implement real-time alerts for suspicious sign-in activity.
Train employees regularly
Regular awareness training helps employees recognize phishing attempts. Simulated phishing tests improve vigilance.
Need Help Securing Your Organization?
We support you with phishing-resistant MFA implementation, do pentests/red-teaming and give security awareness training.
Book a Free Consultation04
Frequently Asked Questions
Q:What makes AitM different from regular phishing?
Traditional phishing creates a fake page. AitM routes all traffic through a proxy - you see the real website, but the attacker sits in between, capturing everything including MFA tokens.
Q:Does Multi-Factor Authentication (MFA) protect against AitM?
Traditional MFA like SMS codes or TOTP apps do not protect against AitM because tokens are relayed in real-time. Only phishing-resistant methods like FIDO2/WebAuthn or Passkeys provide protection.
Q:How can I tell if I'm being attacked?
Watch the domain in your address bar - AitM phishing uses look-alike domains. Check the SSL certificate and watch for unusual login notifications.
Q:Is your test safe?
Yes. Our test redirects you to a proxied version of your website to demonstrate the phishing technique. No data is stored and no credentials are captured.
Ready to Test Your Website?
Test whether your website detects the proxy attempt or loads normally. If not, experience firsthand what an AitM attack on your website would look like: The site works just like the original - including authentication.
Test Now