Adversary-in-the-Middle (AitM) phishing attacks have rapidly escalated in both scale and sophistication, posing a significant threat to Microsoft 365 and Google account users.
These campaigns have leveraged a new breed of Phishing-as-a-Service (PhaaS) kits that allow even low-skilled attackers to bypass traditional security controls, including multi-factor authentication (MFA).
The core of AitM campaigns lies in their ability to intercept authentication flows, granting attackers full account access by capturing both credentials and session cookies.
The result is an alarming rise in compromised business accounts, business email compromise incidents, and large-scale data theft.
Modern AitM phishing attacks differ fundamentally from the classic “lookalike login page” scams many users have learned to spot.
In these campaigns, attackers set up a relay or reverse-proxy server that sits invisibly between the victim and the actual login page of services like Microsoft 365 or Google.
When a victim interacts with the phishing page and enters their username, password, and even their MFA code, the AitM server transparently forwards these inputs to the genuine login service.
This process means the login appears normal to the victim, but, crucially, the attacker intercepts the returned session cookie.
By reusing this cookie, the attacker can log in directly to the victim’s cloud account without triggering additional MFA prompts, rendering even advanced security controls ineffective.
Sophisticated attackers use a multi-step, technical approach. Campaigns begin with lures crafted to mimic business requests or organizational notifications, delivered through spear-phishing emails.
- These may contain malicious HTML or SVG attachments, or URLs hidden behind legitimate-looking redirects.
- The links often leverage open-redirect vulnerabilities and multiple redirection stages to evade both security gateways and user suspicion.
- Once a victim lands on the phishing site, the server deploys anti-bot measures such as CAPTCHA challenges, device fingerprinting, and IP filtering.
- This ensures that only genuine targets are presented with the phishing form, making analysis by security researchers and automated scanners difficult.
After capturing credentials and the session token, the kit sends the data to attackers, often via encrypted channels or real-time notifications through messaging platforms like Telegram.
PhaaS kits leading the market in 2025 include Tycoon 2FA, Storm 1167, NakedPages, EvilProxy, and Evilginx.
These kits are distributed both as centralized services managed by the operators and as decentralized software that affiliates can host themselves.
Most include automated dashboards, campaign management, anti-bot updates, and even customer support for cybercriminals.
Many modern AitM kits use Telegram bots for license control, campaign operation, and exfiltration of stolen credentials.
The technical design often incorporates rapid domain rotation, randomized URLs, and frequent anti-bot script updates, helping kits stay ahead of threat detection systems.
Attackers also rely on distribution tactics like QR code-based lures and encrypted attachments, both of which are highly effective at bypassing traditional email security technology.
From a defender’s perspective, detection of AitM campaigns is challenging but not impossible.
Security teams are increasingly using authentication log analysis to spot suspicious patterns associated with AitM attacks.
.webp)
For example, inspecting logs for anomalies in user-agent strings, unusual application IDs, or session replays can expose malicious activity.
Network defenders can also scan for signs of open redirects, multi-step HTML/SVG attachments, and patterns linked to known kit infrastructure.
Rule-based detection in cloud environments, such as alerting when non-browser or command-line user agents access O365 or Google accounts, can uncover attacks.
According to the Report, Organizations are also urged to enhance user awareness and adopt advanced conditional access policies, including device and context-based restrictions.
The technical evolution of AitM phishing campaigns represents a major shift in the threat landscape.
The widespread availability of robust PhaaS kits puts advanced capabilities in the hands of less sophisticated attackers, dramatically increasing the volume of successful credential theft incidents.
As both Microsoft 365 and Google accounts remain lucrative targets, organizations must move beyond reliance on standard MFA and user training, and invest in layered technical controls, threat intelligence, and vigilant operational monitoring to mitigate these risks.
The future of credential protection demands continuous adaptation as attackers refine their tactics in this ongoing security cat-and-mouse game.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
 phishing attacks have rapidly escalated in both scale and sophistication, posing a significant threat.){kind=link}