An adversary-in-the-middle, or AiTM, attack uses a real-time phishing proxy or interception layer to capture credentials, sessions, or tokens between a victim and a legitimate service. It matters because AiTM can undermine login protections that would stop more basic phishing.
What is an Adversary-in-the-Middle (AiTM) Attack?
In an AiTM attack, the victim interacts with an attacker-controlled intermediary that relays traffic to the real service in real time. The victim may see a convincing login experience while the attacker captures credentials, tokens, cookies, or MFA-related artifacts during the process.
AiTM is especially dangerous because it can turn a successful phish into session theft or near-immediate account abuse.
How AiTM Attacks Commonly Work
Common flows include lure delivery, fake but functional login pages, real-time credential relay, capture of session material, and reuse of the authenticated session or token by the attacker.
AiTM vs. Man-in-the-Middle
Both involve interception, but AiTM usually refers more specifically to the attacker-controlled phishing-proxy pattern used against real login flows and modern authentication mechanisms.
Frequently Asked Questions
Can AiTM defeat MFA?
Yes. It can sometimes bypass weaker MFA methods by capturing the resulting session or token after the victim successfully authenticates.
How can defenders reduce AiTM risk?
Phishing-resistant authentication, passkeys, hardware security keys, secure browsing controls, domain protection, session risk analysis, and strong user reporting all help.
