Table of contents
AiTM phishing bypasses MFA in Microsoft 365
Adversary-in-the-Middle (AiTM) phishing has emerged as a highly effective technique for bypassing modern identity protections in cloud environments, including MFA.
Attackers deploy phishing pages that function as live reverse proxies between the victim and legitimate Microsoft 365 authentication services. When a user authenticates Microsoft services through the proxy, their credentials and MFA challenge are validated in real time against Microsoft APIs, making the login appear legitimate.
These attacks increasingly target Microsoft 365 environments, where stolen session cookies enable persistent access to Exchange Online, SharePoint, OneDrive, and federated SaaS applications. Unlike legacy credential phishing, AiTM campaigns validate credentials against legitimate Microsoft APIs in real time, allowing threat actors to replay authenticated sessions even after successful MFA challenges.
Recent campaigns demonstrate how AiTM phishing serves as a reliable initial access vector for Business Email Compromise (BEC). By leveraging trusted platforms such as SharePoint to distribute malicious links, attackers blend into normal activity while establishing long-lived access that can persist until tokens expire or are revoked.
ThreatLocker examined the tactics, techniques, and procedures behind AiTM phishing attacks targeting Microsoft 365, breaking down the attack chains used to bypass MFA, hijack sessions, and enable BEC while also exploring the operational impact of token theft and the effectiveness and limitations of current mitigation strategies.
Technical analysis
Attackers deploy phishing pages that act as reverse proxies between the victim and their requested service. Once a victim completes MFA through the proxy, this allows attackers to capture session cookies and tokens, which can be reused to access Microsoft 365 services directly and bypass MFA enforcement.
These attacks can come in many forms; the example shown below is a malicious SharePoint attachment. The attachment requires a proxied sign in through attacker-controlled infrastructure.
While the phishing page may be controlled by the attackers, the victim’s credentials are being checked against legitimate Microsoft APIs.
When the threat actor has compromised login details, MFA is the next line of defense. Typically, this would be enough to thwart any further login attempts, but once the victim provides their MFA through the proxy, an attacker is able to impersonate the user at will.
The number of actions a threat actor can now perform is endless. However, the focus here is on initial compromise through AiTM methods and BEC TTPs.
Risk and impact of AiTM phishing attacks
Stolen session tokens obtained through AiTM phishing enable attackers to bypass MFA and take full control of a victim’s mailbox. Once access is established, threat actors can conduct internal phishing campaigns, escalate to BEC, and impersonate trusted users to defraud employees, partners, or customers.
Compromised identities also allow direct access to data stored in SharePoint and OneDrive, significantly increasing the risk of sensitive information exposure.
Beyond core Microsoft 365 services, stolen tokens may grant access to third-party SaaS applications and federated single sign-on (SSO) resources, expanding the impact of a single compromised account. Similar access has also been observed in attacks involving token forgery, where adversaries bypass authentication entirely.
Because these attacks rely on valid authentication artifacts rather than repeated logins, adversaries can maintain long-lived persistence until session tokens expire or are explicitly revoked, often remaining undetected for extended periods.
Steps for mitigation and their limitations
Defending against AiTM phishing requires layered identity controls, each with inherent limitations.
Token binding and Continuous Access Evaluation (CAE) can reduce the usefulness of stolen tokens by enforcing re-evaluation of session validity, but coverage is inconsistent across SaaS applications and legacy protocols. Even when supported, tokens may still be abused within evaluation windows before CAE enforcement occurs.
Phishing-resistant MFA significantly reduces the risk of credential theft by preventing attackers from relaying authentication challenges, but it does not fully eliminate token replay attacks once a session is established. User enrollment friction and recovery complexity, particularly with hardware-bound authenticators, can also limit effectiveness.
Sign-in risk policies provide detection based on contextual signals, but false positives may disrupt legitimate users, and risk scoring often occurs only at initial authentication. This allows attackers to reuse captured tokens after access is granted.
Session revocation serves as a critical post-compromise control, though its effectiveness depends on timely detection and may not immediately invalidate all refresh tokens or third-party OAuth sessions.
Detection of anomalous token reuse offers deeper visibility into AiTM activity but requires high-fidelity telemetry and mature identity analytics. Without careful tuning, these detections can be evaded by attackers who mimic normal user behavior or can overwhelm security teams with alert fatigue.
FAQs
How does AiTM phishing bypass MFA in Microsoft 365?
AiTM phishing bypasses MFA by capturing session cookies and access tokens after a user successfully completes MFA through an attacker-controlled proxy. Once these tokens are obtained, attackers can replay them directly against Microsoft 365 services without triggering additional MFA prompts, effectively impersonating the user.
Why are Microsoft 365 environments frequently targeted by AiTM attacks?
Microsoft 365 environments are attractive targets due to their widespread adoption and reliance on token-based authentication. Access to Exchange Online, SharePoint, OneDrive, and federated SaaS applications can often be achieved using stolen session tokens.
What is the difference between token theft and token forgery?
Both techniques allow attackers to bypass MFA and maintain unauthorized access to cloud resources. Token theft occurs when attackers capture valid session tokens issued to a legitimate user while token forgery involves generating authentication tokens without user interaction by abusing weaknesses in token issuance or validation processes.
Can phishing-resistant MFA fully prevent AiTM phishing attacks?
Phishing-resistant MFA significantly reduces the risk of credential theft but does not eliminate the risk of token replay attacks once a session is established. If a valid session token is captured, attackers may still reuse it until it expires or is revoked, highlighting the need for layered defenses beyond MFA alone.
How can organizations detect AiTM phishing and stolen session tokens?
Detection of AiTM phishing relies on identifying anomalous authentication behavior with a Zero Trust security model where no session or identity is implicitly trusted. Indicators like token reuse from unexpected locations, abnormal session lifetimes, or access patterns that deviate from baseline behavior can signal a compromise.
