Agent Skills: Performing Adversary-in-the-Middle Phishing Detection

Performing Adversary-in-the-Middle Phishing Detection

Overview

Adversary-in-the-Middle (AiTM) phishing attacks use reverse-proxy infrastructure to sit between the victim and the legitimate authentication service, intercepting both credentials and session cookies in real time. This allows attackers to bypass multi-factor authentication (MFA). The most prevalent PhaaS kits in 2025 include Tycoon 2FA, Sneaky 2FA, EvilProxy, and Evilginx. Over 1 million PhaaS attacks were detected in January-February 2025 alone. These attacks have evolved from QR codes to HTML attachments and SVG files for link distribution.

When to Use

• When conducting security assessments that involve performing adversary in the middle phishing detection
• When following incident response procedures for related security events
• When performing scheduled security testing or auditing activities
• When validating security controls through hands-on testing

Prerequisites

• Azure AD / Entra ID Conditional Access policies
• SIEM with authentication log ingestion (Azure AD sign-in logs)
• Web proxy with SSL inspection and URL categorization
• Endpoint Detection and Response (EDR) solution
• FIDO2/phishing-resistant MFA capability

Key Concepts

How AiTM Works

1. Victim receives phishing email with link to attacker-controlled domain
2. Attacker domain runs reverse proxy that mirrors legitimate login page
3. Victim enters credentials on proxied page; credentials captured in transit
4. Reverse proxy forwards credentials to real authentication service
5. MFA challenge sent to victim; victim completes MFA on proxied page
6. Attacker captures session cookie returned by legitimate service
7. Attacker replays session cookie to access victim's account without MFA

Major AiTM Kits (2025)

| Kit | Type | Primary Targets | Evasion | |---|---|---|---| | Tycoon 2FA | PhaaS | Microsoft 365, Google | CAPTCHA, Cloudflare turnstile | | EvilProxy | PhaaS | Microsoft 365, Google, Okta | Random URLs, IP rotation | | Evilginx | Open-source | Any web application | Custom phishlets | | Sneaky 2FA | PhaaS | Microsoft 365 | Anti-bot checks | | NakedPages | PhaaS | Multiple | Minimal infrastructure |

Detection Indicators

• Authentication from unusual IP not matching user profile
• Session cookie reuse from different IP/device than authentication
• Login page served from non-Microsoft/non-Google infrastructure
• CDN requests to legitimate auth providers from phishing domains
• Impossible travel between authentication and session usage

Workflow

Step 1: Deploy Phishing-Resistant MFA

• Implement FIDO2 security keys or Windows Hello for Business for high-value accounts
• Configure Conditional Access to require phishing-resistant MFA for admins
• Enable certificate-based authentication where possible
• Disable SMS and voice MFA for privileged accounts
• AiTM cannot intercept FIDO2 because authentication is bound to origin domain

Step 2: Configure Conditional Access Policies

• Require compliant/managed device for sensitive application access
• Block authentication from anonymous proxies and Tor exit nodes
• Enforce token binding to limit session cookie replay
• Configure continuous access evaluation (CAE) for real-time token revocation
• Implement sign-in risk policies that require re-authentication for risky sign-ins

Step 3: Build AiTM Detection Rules

• Alert on sign-in followed by session from different IP within 10 minutes
• Detect authentication where proxy IP does not match user's expected location
• Monitor for impossible travel patterns in session usage
• Alert on inbox rules created immediately after authentication (common post-compromise)
• Detect new MFA method registration from suspicious sign-in

Step 4: Monitor Web Proxy for AiTM Infrastructure

• Log and analyze DNS queries to newly registered domains
• Detect connections to known PhaaS infrastructure IPs
• Alert on authentication page backgrounds loaded from legitimate CDNs through proxy domains
• Monitor for SSL certificates issued to domains mimicking corporate login pages
• Block access to known EvilProxy/Evilginx infrastructure via threat intelligence

Step 5: Implement Post-Compromise Detection

• Alert on mailbox forwarding rules created after suspicious authentication
• Detect OAuth app consent after AiTM sign-in
• Monitor for email sending patterns indicating BEC follow-up
• Alert on SharePoint/OneDrive mass download after session hijack
• Track lateral movement from compromised account

Tools & Resources

• Microsoft Entra ID Protection: Risk-based Conditional Access
• Azure AD Sign-in Logs: Authentication event analysis
• Okta ThreatInsight: AiTM proxy detection at IdP level
• Sekoia TDR: AiTM campaign tracking and intelligence
• Evilginx (defensive): Understanding attack mechanics for detection

Validation

• Phishing-resistant MFA blocks AiTM session capture in test scenario
• Conditional Access denies session replay from different device/IP
• SIEM alerts fire on simulated AiTM sign-in patterns
• Web proxy blocks connections to known PhaaS infrastructure
• Post-compromise rules detect inbox rule creation after suspicious auth