.webp?w=696&resize=696,0&ssl=1 "AitM Phishing Attacks on Microsoft 365 and Google Aimed at Stealing Login Credentials")
A dramatic escalation in phishing attacks leveraging Adversary-in-the-Middle (AiTM) techniques has swept across organizations worldwide in early 2025, fueled by the rapid evolution and proliferation of Phishing-as-a-Service (PhaaS) platforms.
Sekoia researchers and threat intelligence teams are sounding the alarm as these attacks become more complex, harder to detect, and increasingly effective at bypassing even advanced security measures like Multi-Factor Authentication (MFA).
Unlike traditional phishing, AiTM attacks use sophisticated reverse proxy servers to intercept user credentials and session cookies in real time.
.png
)
When a victim clicks a link in a phishing email often disguised as a legitimate corporate communication they are taken to a fake login page that closely mimics trusted services such as Microsoft 365 or Google.
As the victim enters their credentials and MFA codes, the AiTM server relays this information to the real authentication service, capturing the session cookie that grants access.
With this cookie, attackers can bypass MFA entirely, accessing sensitive accounts and data undetected.
AitM Phishing Attacks on Microsoft 365 and Google
The rise of PhaaS has democratized access to these advanced attack tools.
Platforms like Tycoon 2FA, EvilProxy, and Sneaky 2FA offer turnkey phishing kits with built-in AiTM capabilities, anti-bot features, and ready-to-use templates for a monthly fee sometimes as low as $1001.
Even cybercriminals with limited technical skills can now launch large-scale, highly effective phishing campaigns.
In the first two months of 2025 alone, over a million PhaaS-powered attacks were detected globally, with Tycoon 2FA responsible for nearly 90% of these incidents.
Threat actors are constantly refining their methods to evade detection. Recent trends include the use of HTML and SVG attachments, QR codes, and multiple redirection steps to obscure malicious links from email filters and security scanners, reads the report.
Many phishing kits now employ encrypted scripts, Unicode obfuscation, and targeted filtering based on device fingerprinting and IP reputation. CAPTCHAs and other anti-bot measures further complicate efforts to identify and block these attacks.
The endgame for many AiTM phishing campaigns is Business Email Compromise (BEC), where attackers use hijacked accounts to initiate fraudulent transactions, exfiltrate sensitive documents, or conduct further spearphishing within and beyond the organization.
These attacks can result in significant financial losses and reputational damage.
Security experts warn that traditional defenses such as basic MFA and standard email security are no longer sufficient.
Organizations are urged to adopt multi-layered security strategies, including advanced behavioral analytics, biometric authentication, and comprehensive user education to recognize and report phishing attempts.
Continuous monitoring for suspicious authentication anomalies and proactive threat hunting are now essential to stay ahead of this rapidly evolving threat landscape.
As PhaaS platforms continue to innovate and expand, the arms race between cybercriminals and defenders is set to intensify throughout 2025.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=A dramatic escalation in phishing attacks leveraging AiTM techniques has swept across organizations worldwide in early 2025.){kind=link}