Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencecredential-access-methodidentity-authentication-vulnerabilitydefense-evasion-method

Adversary-in-the-Middle Phishing and Evasion Techniques That Bypass MFA

Updated 2d agoFirst seen Mar 8, 20262 sources

Adversary-in-the-middle (AiTM) phishing continues to undermine traditional MFA by proxying legitimate Microsoft sign-in flows in real time, allowing attackers to capture not only passwords but also session tokens and MFA responses. One investigation described how sophisticated redirect infrastructure (e.g., unusually deep redirect chains) can place the final phishing content beyond the reach of many email security scanners, and how one-time URL tokens can prevent defenders from reproducing the full chain after the fact—making in-the-moment evidence collection critical. The same analysis emphasized that phishing-resistant MFA (e.g., FIDO2/passkeys) is a more effective control because hardware-bound credentials cannot be relayed through a proxy.

Operationally, defenders are being pushed to treat modern phishing as an infrastructure and workflow problem, not just a user-awareness issue: attackers increasingly use HTTPS, branded lookalike pages/domains, redirects, and short-lived links to evade detection, including QR phishing (codes embedded in PDFs that bypass URL scanning). Additional pressure tactics like MFA fatigue (push-spam) remain effective against push-based MFA, with mitigations including number matching, contextual prompts (e.g., location), and monitoring for abnormal push rates. For earlier detection of AiTM activity, one proposed tripwire is embedding Canary Tokens in Microsoft Entra ID tenant branding (e.g., custom CSS) to alert when an AiTM proxy loads the login page, while noting this is not universally reliable across all kits.

Share:
Adversary-in-the-Middle Phishing and Evasion Techniques That Bypass MFA
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Mar 8, 20264mo ago

Sekoia confirms previously undocumented PhaaS kit behind Hopper

After the investigator shared findings with Sekoia's TDR team, the team confirmed the activity was linked to a previously undocumented phishing-as-a-service kit. This marked a new attribution development for the Hopper campaign.

Researcher rules out several known AiTM and PhaaS kits

Technical analysis using mitmproxy and observed fingerprints led the author to systematically exclude Tycoon 2FA, Mamba 2FA, Sneaky 2FA, Gabagool, and Evilginx as matches for the campaign. This narrowed attribution toward a distinct, previously undocumented kit.

Investigation documents Hopper's seven-hop redirect architecture

During analysis of a single attack, the investigator identified a seven-hop redirect chain used for tracking, anti-bot checks, token generation, victim routing, and final proxy delivery. The findings showed how incomplete redirect resolution by email security tools can miss the final phishing destination.

Hopper phishing campaign operates across sectors for multiple months

Pivoting on the unique JavaScript filename "ui-form-security.js" via urlscan.io revealed a multi-month, multi-sector adversary-in-the-middle phishing campaign later dubbed Hopper. The operation proxied real Microsoft login flows to capture credentials, MFA responses, and session tokens.

Mar 6, 20264mo ago

Help Net Security video outlines modern phishing evasion techniques

Gal Livschitz of Terra Security described how current phishing attacks use HTTPS, branded spoof pages, lookalike domains, redirects, and short-lived links to evade detection, and highlighted QR phishing as a growing tactic. He also warned about MFA fatigue, AI-generated phishing, and voice cloning, while recommending phishing-resistant MFA and improved training and mobile controls.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

12 LINKEDOpen in app
Threat actors
1 linked
Affected products
4 linked
MitmproxyAsp.Net CoreMicrosoft Entra IdDocusign
Organizations
7 linked
Microsoft CorporationThinkst Applied ResearchSekoiaDocuSignCalendlyHelp Net SecurityTerra Security
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.