Phishing with Adversary-in-the-Middle (AITM) Tactics: Why MFA Isn’t Bulletproof

- Aug. 20, 2025

For years, multi-factor authentication (MFA) has been promoted as one of the best defenses against phishing attacks. By requiring something more than just a password (such as a text message code or app-based approval) businesses could make it far harder for attackers to break in. But in 2025, attackers have learned new tricks. A growing threat called Adversary-in-the-Middle (AITM) phishing is proving that MFA alone isn’t bulletproof.

How AITM Phishing Works

Traditional phishing tricks people into typing their password into a fake login page. MFA used to block most of those attacks, since the attacker couldn’t get the second factor. But with AITM phishing, attackers set up a proxy website that sits between the victim and the real login page.

Here’s what happens:

  1. You click a phishing link and see a fake login page.
  2. You enter your username and password, and then your MFA code.
  3. The attacker’s proxy passes all that information to the real site in real time.
  4. The attacker now has an authenticated session token and can hijack your account.

To you, everything looks normal. To the attacker, it’s the perfect way to slip past MFA.

Why MFA Alone Isn’t Enough

MFA is still important, it blocks countless attacks every day. But AITM tactics show its limits. SMS codes and even push notifications can be intercepted in real time. If attackers can grab the token that proves you’re logged in, they don’t need your password or code anymore.

This doesn’t mean MFA is useless. It means we need to raise the bar with stronger, phishing-resistant methods.

The Case for Higher-Assurance Authentication

One of the most effective defenses against AITM attacks is FIDO2 authentication. Instead of sending a code, FIDO2 uses cryptographic keys tied to the legitimate website you’re logging into. Even if an attacker creates a fake login page, the cryptographic handshake won’t work. It simply won’t trust the wrong site.

Other higher-assurance methods include:

  • Security keys (YubiKeys, Feitian, etc.) that confirm you’re talking to the real website.
  • Passkeys, a newer, user-friendly version of FIDO2 that works across devices.
  • Device-bound certificates that can’t be replayed by an attacker.

These methods close the gap that AITM phishing exploits.

What Businesses Should Do Now

  1. Educate your staff on how AITM phishing works so they know the risks.
  2. Adopt phishing-resistant MFA like FIDO2 keys where possible.
  3. Layer your defenses with Zero Trust principles: never assume a login is safe just because MFA was used.
  4. Work with a trusted partner who can help evaluate your risk and implement stronger protections.

Cybersecurity never stands still, and neither do attackers. MFA was a leap forward, but it’s no longer the final word. If you want to make sure your business-critical systems stay protected, it’s time to look at stronger solutions.

Posted in Compliance, Hacked, Managed Services, Risk Management