Adversary-in-the-Middle (AiTM) Phishing.

A phishing technique that places a reverse-proxy server between the victim and the real login page to relay credentials and steal the post-authentication session cookie, bypassing most MFA. It belongs to the Attacks & Threats category of cybersecurity.

A phishing technique that places a reverse-proxy server between the victim and the real login page to relay credentials and steal the post-authentication session cookie, bypassing most MFA.

Adversary-in-the-Middle (AiTM) phishing is a credential- and session-theft technique in which the attacker interposes a reverse-proxy server between the victim and a legitimate website. Instead of serving a static fake page, the proxy fetches the real login page in real time and relays every request and response, so the victim sees the genuine site, completes any multi-factor authentication, and notices nothing unusual. As the traffic passes through, the proxy captures the username, password, and — crucially — the authenticated session cookie the server issues after MFA succeeds. The attacker replays that cookie to hijack the session without needing the second factor again. Because it defeats most one-time-code and push-based MFA, AiTM is commonly delivered through kits such as Evilginx, EvilProxy, and Tycoon 2FA, and is mitigated mainly by phishing-resistant, origin-bound MFA like FIDO2.

Defences for Adversary-in-the-Middle (AiTM) Phishing typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: AiTM Phishing, Man-in-the-Middle Phishing, MFA Bypass Phishing.