What is an adversary-in-the-middle attack?
An adversary-in-the-middle (AitM) attack uses a reverse proxy to sit between a user and a legitimate authentication page, relaying real traffic in both directions. The user logs in normally, completing any MFA step, while the proxy captures the resulting session cookie and refresh token. AitM is the MITRE ATT&CK term for this technique.
How AitM defeats MFA and passkeys
Standard phishing captures the password a user types. AitM captures what a completed, legitimate authentication produces – the session cookie that proves login already happened. Any browser presenting a valid session cookie is treated as authenticated, so the attacker needs neither the password nor the MFA method. That’s why AitM bypasses MFA, passkeys, and passwordless alike: it operates after authentication, targeting the post-auth artifact rather than the credential.
An organization fully on passkeys has the same session-layer exposure to AitM as one still using passwords.
SpyCloud Labs published original research on the Tycoon 2FA AitM platform that contributed to its Europol-coordinated seizure – read it on SpyCloud Labs →
The refresh-token problem and how SpyCloud responds
In enterprises, AitM also captures the refresh token – valid up to 90 days by default – extending the damage well past the initial phish:
- Months of silent access. A captured refresh token mints new sessions for its lifetime, even after a password reset.
- Same channels as logs. AitM operators distribute captured artifacts through the criminal channels SpyCloud infiltrates.
- Recaptured in hours. SpyCloud recovers AitM-harvested cookies and refresh tokens typically within hours, then signals the IdP to revoke and terminate the session.
- Delivered via PhaaS. AitM is most often delivered through phishing-as-a-service kits; SpyCloud remediates the output via Phishing Exposure Remediation.
AitM vs. traditional man-in-the-middle
AitM is a purpose-built evolution of the classic man-in-the-middle (MitM) attack. Traditional MitM intercepts traffic to eavesdrop or tamper, often passively, and is frequently defeated by TLS. AitM is active: a reverse proxy relays a real login in full, lets the user complete MFA, and captures the resulting session cookie and refresh token.
The distinction matters for defense. MitM defenses center on encrypting traffic, but AitM operates with the user’s cooperation over a connection that looks legitimate end to end – so the effective defense shifts to detecting the stolen session artifact rather than the interception itself.
An AitM phish leaves no failed login behind – the first sign may be the session for sale.
Check Your Exposure to see what’s tied to your domain.
Frequently Asked
Standard phishing captures the password a user types, and MFA usually stops the attacker. AitM uses a reverse proxy relaying real traffic to the legitimate service, letting the user complete MFA while the proxy captures the resulting session cookie – an artifact that has already passed every authentication control. Standard phishing attacks the credential; AitM attacks the proof of a completed login.
Tycoon 2FA was the dominant AitM PhaaS platform of 2024–2025, targeting Microsoft 365 and Google Workspace before a Europol-coordinated seizure in March 2026. EvilProxy, Evilginx, Modlishka, and Muraena are other AitM proxy frameworks. PhaaS made AitM accessible to non-technical attackers, helping drive the 400% year-over-year phishing surge in SpyCloud’s 2026 report.
It recaptures AitM-harvested cookies and refresh tokens from the criminal channels where operators sell them. On a match to a customer’s domain, Session Identity Protection triggers three-layer remediation – refresh-token revocation at the IdP, SSO session termination cascading to downstream apps, and app-level cookie invalidation – closing the immediate exposure and the 90-day refresh-token window that survives password resets.