The AiTM tactic uses a real time proxy to steal authentication tokens after the user completes MFA, bypassing one of the most common security controls in enterprise environments.
The AiTM Attack Mechanism
Attackers are running a sophisticated phishing campaign that uses an adversary in the middle (AiTM) proxy setup. When a victim clicks a malicious link, they are routed through a real time proxy that sits between the user and the legitimate login page for services like SharePoint, HubSpot, and Google Workspace. This proxy captures the session cookie and authentication token as the user completes the login, allowing the attacker to hijack the authenticated session even if multi factor authentication (MFA) is enabled. The stolen tokens are then used to access the victim’s accounts from the attacker’s own browser without triggering any additional MFA prompts.
Impact on Enterprise Security
The campaign specifically targets business critical platforms that handle sensitive documents and customer data. By breaking into SharePoint, attackers can steal internal files and intellectual property. Compromised HubSpot accounts allow access to CRM records and marketing data. Breaches in Google Workspace give adversaries entry to emails, Drive files, and Calendar events. The use of AiTM techniques renders standard MFA ineffective as a standalone defense, meaning organizations must deploy phishing resistant authentication methods such as FIDO2 security keys or passkeys to protect against this threat. No specific CVEs are assigned to this campaign, but defenders should reference CVE 2025 related phishing proxy frameworks for mitigation guidance.
Source: Cyber Security News
