performing-adversary-in-the-middle-phishing-detection

# Performing Adversary-in-the-Middle Phishing Detection ## Overview Adversary-in-the-Middle (AiTM) phishing attacks use reverse-proxy infrastructure to sit between the victim and the legitimate authentication service, intercepting both credentials and session cookies in real time. This allows attackers to bypass multi-factor authentication (MFA). The most prevalent PhaaS kits in 2025 include Tycoon 2FA, Sneaky 2FA, EvilProxy, and Evilginx. Over 1 million PhaaS attacks were detected in January-February 2025 alone. These attacks have evolved from QR codes to HTML attachments and SVG files for link distribution. ## When to Use - When conducting security assessments that involve performing adversary in the middle phishing detection - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Azure AD / Entra ID Conditional Access policies - SIEM with authentication log ingestion (Azure AD sign-in logs) - Web proxy with SSL inspection and URL categorization - Endpoint Detection and Response (EDR) solution - FIDO2/phishing-resistant MFA capability ## Key Concepts ### How AiTM Works 1. Victim receives phishing email with link to attacker-controlled domain 2. Attacker domain runs reverse proxy that mirrors legitimate login page 3. Victim enters credentials on proxied page; credentials captured in transit 4. Reverse pro...