Adversary-in-the-Middle Phishing Attacks Targeting Microsoft 365
Threat actors are increasingly leveraging adversary-in-the-middle (AitM) phishing techniques to compromise Microsoft 365 accounts. In a recent incident, attackers used a phishing email with a malicious link that mimicked the Microsoft login page, capturing both credentials and session cookies to bypass multi-factor authentication (MFA). The attackers expanded their access through password spraying, brute force attacks, and the use of VPNs and residential proxies to evade detection. Persistence was achieved by manipulating inbox rules and abusing OAuth permissions via legitimate email clients, allowing continued access to compromised accounts.
Traditional detection methods, such as URL reputation and static fingerprinting, are proving ineffective against these sophisticated AitM phishing kits, which proxy the real Microsoft authentication flow and associated assets. In response, security researchers have developed new defensive measures, including browser extensions that detect AitM attacks at the point of interaction by monitoring for unexpected HTTP referers and injecting visible warnings. However, as attackers adapt and proxy more elements of the authentication process, even these advanced defenses face challenges, highlighting the need for continuous innovation in anti-phishing strategies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Campaign evasion tactics and detection opportunities are published
The analysis disclosed that the attacker used VPNs, residential proxies, and cloud services to blend into legitimate traffic and avoid detection. It also identified monitoring opportunities such as unusual authentication patterns, inbox rule changes, OAuth grants, and anomalous Microsoft Graph API activity.
Lateral movement conducted via internal phishing and Dropbox abuse
After establishing persistence, the attacker moved laterally by using compromised accounts for internal phishing and by abusing Dropbox to distribute malicious PDFs. The campaign leveraged trusted internal channels and cloud services to deepen the compromise.
Persistence established through inbox rules and OAuth abuse
The attacker maintained access by manipulating inbox rules and abusing OAuth, including registering a legitimate eM Client application with high-risk Microsoft Graph API permissions. This created durable access paths beyond the original stolen session.
Attackers expand access using password attacks and legacy authentication
In the same BEC campaign, the attacker used password spraying, brute force, and legacy authentication protocols to broaden access to additional accounts and services. These steps marked an escalation from initial credential theft to wider compromise.
A BEC campaign begins with AitM phishing to steal M365 access
A separately analyzed business email compromise campaign started with an adversary-in-the-middle phishing attack that captured credentials and session tokens, enabling the attacker to bypass multi-factor authentication. The intrusion then expanded beyond the initial compromise into broader account abuse.
Researchers report high detection efficacy against modern phishing kits
Eye Security reported that M365 AitM Block achieved a high detection rate against contemporary phishing kits, including kits using obfuscation and anti-debugging techniques. This provided new technical detail on a defensive approach for identifying modern M365 phishing attacks.
Eye Security develops M365 AitM Block browser extension
Eye Security developed M365 AitM Block for Chrome and Edge to detect Microsoft 365 AitM phishing during the login process by monitoring DOM elements and layout properties rather than relying on static page analysis. The extension was designed to work fully offline and warn users when suspicious login flows are detected.
Modern M365 AitM phishing attacks are analyzed and characterized
Eye Security documented that adversary-in-the-middle phishing against Microsoft 365 had evolved to use real-time proxying of authentication flows, allowing attackers to steal credentials and session tokens while evading traditional URL- and reputation-based detection. The research described these attacks as increasingly sophisticated and effective against modern login protections.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
Mar 21, 2026
Adversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging. Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
Mar 21, 2026
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026