A phishing attack that looks… completely normal

Phishing remains one of the most common attack vectors. And with the rise of AI, these attacks are becoming more convincing than ever.

In this case, the attack followed a familiar pattern:

• An employee receives a phishing email from a seemingly trusted source
• They click the link and land on a realistic login page
• They enter their credentials and complete MFA
• Everything appears legitimate

But behind the scenes, something very different is happening.

This is known as an Adversary-in-the-Middle (AiTM) attack.

The attacker sits between the user and the real login service, intercepting the authentication flow in real time. When the user logs in and completes MFA, the attacker captures the session cookie, effectively gaining authenticated access without needing credentials or MFA again.

What happens after access is gained?

Once inside, attackers don’t need to move fast, they need to stay unnoticed.

Typical actions include:

• Reading emails and monitoring conversations
• Creating inbox rules to hide specific messages
• Sending emails from the compromised account
• Intercepting invoices or altering payment details

In many cases, the real damage happens later, through financial fraud or further lateral movement.

Why this matters now more than ever

This type of attack is not entirely new, but it is becoming increasingly relevant.

Tools are more accessible. Phishing campaigns are more sophisticated. And users are more likely to trust what they see.

Organizations that rely solely on traditional MFA and awareness training are at risk of missing this evolving threat.

How we approach this at Resilient PROTECT

Preventing and responding to AiTM attacks requires a layered and well-orchestrated approach.

1. Prevention through stronger controls

We focus on implementing phishing-resistant MFA and Conditional Access policies that reduce the risk of session hijacking and limit access based on context.

2. Detection and rapid response

When an incident occurs, speed is critical. Key actions include:

• Revoking active sessions
• Resetting credentials
• Reviewing and removing unauthorized authentication methods

Clear processes must be in place to execute these steps immediately and consistently.

3. The importance of correct configuration

Having the right tools, such as Microsoft Defender XDR with its automatic Attack Disruption capability, is only part of the solution. Proper configuration and tuning are what make the difference between detection and missed signals.

From tools to resilience

AiTM phishing attacks are a clear example of how cyber threats evolve faster than traditional defenses.

Security is no longer about a single control, it’s about how controls, processes and people work together.

At Resilient Security, we focus on building that complete picture: from prevention to detection, and from response to long-term resilience.

Because in today’s landscape, being secure is not enough. You need to be resilient!