Adversary-in-the-Middle Phishing and Evasion Techniques That Bypass MFA
Adversary-in-the-middle (AiTM) phishing continues to undermine traditional MFA by proxying legitimate Microsoft sign-in flows in real time, allowing attackers to capture not only passwords but also session tokens and MFA responses. One investigation described how sophisticated redirect infrastructure (e.g., unusually deep redirect chains) can place the final phishing content beyond the reach of many email security scanners, and how one-time URL tokens can prevent defenders from reproducing the full chain after the fact—making in-the-moment evidence collection critical. The same analysis emphasized that phishing-resistant MFA (e.g., FIDO2/passkeys) is a more effective control because hardware-bound credentials cannot be relayed through a proxy.
Operationally, defenders are being pushed to treat modern phishing as an infrastructure and workflow problem, not just a user-awareness issue: attackers increasingly use HTTPS, branded lookalike pages/domains, redirects, and short-lived links to evade detection, including QR phishing (codes embedded in PDFs that bypass URL scanning). Additional pressure tactics like MFA fatigue (push-spam) remain effective against push-based MFA, with mitigations including number matching, contextual prompts (e.g., location), and monitoring for abnormal push rates. For earlier detection of AiTM activity, one proposed tripwire is embedding Canary Tokens in Microsoft Entra ID tenant branding (e.g., custom CSS) to alert when an AiTM proxy loads the login page, while noting this is not universally reliable across all kits.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Sekoia confirms previously undocumented PhaaS kit behind Hopper
After the investigator shared findings with Sekoia's TDR team, the team confirmed the activity was linked to a previously undocumented phishing-as-a-service kit. This marked a new attribution development for the Hopper campaign.
Researcher rules out several known AiTM and PhaaS kits
Technical analysis using mitmproxy and observed fingerprints led the author to systematically exclude Tycoon 2FA, Mamba 2FA, Sneaky 2FA, Gabagool, and Evilginx as matches for the campaign. This narrowed attribution toward a distinct, previously undocumented kit.
Investigation documents Hopper's seven-hop redirect architecture
During analysis of a single attack, the investigator identified a seven-hop redirect chain used for tracking, anti-bot checks, token generation, victim routing, and final proxy delivery. The findings showed how incomplete redirect resolution by email security tools can miss the final phishing destination.
Hopper phishing campaign operates across sectors for multiple months
Pivoting on the unique JavaScript filename "ui-form-security.js" via urlscan.io revealed a multi-month, multi-sector adversary-in-the-middle phishing campaign later dubbed Hopper. The operation proxied real Microsoft login flows to capture credentials, MFA responses, and session tokens.
Help Net Security video outlines modern phishing evasion techniques
Gal Livschitz of Terra Security described how current phishing attacks use HTTPS, branded spoof pages, lookalike domains, redirects, and short-lived links to evade detection, and highlighted QR phishing as a growing tactic. He also warned about MFA fatigue, AI-generated phishing, and voice cloning, while recommending phishing-resistant MFA and improved training and mobile controls.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


