Three failures that keep showing up: Through my research into adversary-in-the-middle attacks and reviewing industry incident reports, I have identified three consistent failures that make these attacks successful.
1. We trained our people for the wrong threat
Most security awareness programs still teach the same things: Look for misspellings, check the sender address, hover over links. That advice was built for 2015 phishing. In an adversary-in-the-middle attack, there are no misspellings because the page is real, it is being proxied from the actual service. The SSL certificate is valid because the proxy obtains its own legitimate certificate. The login flow behaves exactly as expected because it is the real login flow, just observed by someone in the middle.Security researchers have tested this extensively. Setting up an Evilginx proxy against a test tenant and sending phishing links to security professionals, people who know what phishing looks like, consistently catches a significant number of them. If people whose literal job is spotting these attacks cannot tell the difference, expecting finance or HR staff to do so is unrealistic. Research from Push Security confirms phishing has gone omni-channel, with roughly one in three phishing attacks now delivered outside of email entirely, through channels like LinkedIn DMs and Google Search.
2. We trust session cookies too much
Once MFA is completed, most organisations treat the resulting session as sacred. The user proved who they are, so we let them work. But session cookies are bearer tokens, whoever holds them is the authenticated user. There is no binding between the cookie and the device that generated it. There is no fingerprint. There is no anchor. An attacker who steals a session cookie from London can replay it from an entirely different location, and the identity provider will accept it as the legitimate user. Research from Silverfort demonstrated that even after successful FIDO2 authentication, many identity providers remain vulnerable to session hijacking because the session tokens created after authentication are not adequately protected.
3. We react to credential theft, not session theft
Incident response playbooks are built around compromised passwords: Force a reset, revoke tokens, re-enroll MFA. But in an adversary-in-the-middle attack, the password is not the primary concern, the session is. Industry reports consistently show response teams resetting passwords and considering the case closed, while attackers continue operating on stolen sessions for days. If you are not revoking all active sessions and monitoring for session replay, you are not actually remediating the compromise.
What actually works: The uncomfortable truth is that traditional MFA, push notifications, SMS codes, authenticator apps, cannot defend against adversary-in-the-middle phishing. The authentication succeeds because it is real authentication. The attacker simply observes and copies the result. Here is what actually makes a difference.
Deploy phishing-resistant authentication
FIDO2 security keys and passkeys bind authentication cryptographically to the specific domain. If the login request comes from a proxy domain instead of the real service, the key refuses to sign the challenge. According to Microsoft’s documentation on passkeys, passkeys use origin-bound public key cryptography, ensuring credentials cannot be replayed or shared with malicious actors. Rolling out hardware keys can be challenging, budget approvals take time, users need training. But start somewhere. Finance teams, IT admins and executives should be first. The people with the most valuable access need the strongest authentication. It is worth noting that Proofpoint researchers have demonstrated a downgrade attack against FIDO in Microsoft Entra ID by spoofing an unsupported browser, so organisations should also disable fallback authentication methods where possible.
Bind sessions to devices
Conditional Access policies that require managed, compliant devices create a hardware anchor that cookie replay cannot bypass. If someone steals a session cookie and tries to replay it from an unmanaged machine, the session gets killed. This is one of the most impactful changes organisations can implement. It is not foolproof, but it eliminates the easiest replay vector overnight.
Monitor for session anomalies, not just failed logins
The adversary-in-the-middle attack does not generate failed logins. It generates perfect-looking successful ones. The signals are in what happens after authentication. Watch for impossible travel between the authentication IP and subsequent session activity. Watch for new MFA device registration within minutes of login. Watch for inbox rule creation. Barracuda’s threat analysis highlights that attackers are increasingly using MFA code theft via relay attacks and targeting MFA recovery flows, making post-authentication monitoring more critical than ever. These are the post-compromise actions that attackers perform consistently, and building detection rules around these patterns catches attempts that traditional monitoring misses entirely.
Rebuild your security awareness training
Stop teaching people to spot phishing pages, they cannot, not against modern attacks. Push Security’s analysis notes that the vast majority of phishing attacks today use reverse proxies capable of bypassing most forms of MFA in real time, and that old-school approaches to URL blocking leave defenders two steps behind attackers. Instead, teach employees one simple rule: If you did not initiate the login yourself by typing the URL directly, do not trust it. Do not click login links in emails, even if they look legitimate. Navigate to the service directly. Bookmark your login pages. And give people a simple, frictionless way to report anything that feels wrong, even if they cannot explain why.
The uncomfortable conclusion: The security industry spent years telling organisations that MFA was the answer. It was, for the threats we had then. But the threat has evolved, and our defenses have not kept pace.Adversary-in-the-middle phishing does not break MFA. It does not need to. It sits patiently in the middle, watches the authentication happen exactly as designed, and copies the result. Our strongest defence does not fail, it succeeds, and the attacker benefits anyway.The organisations that recognise this shift and move to phishing-resistant authentication will be protected. The rest are waiting for a breach that will look exactly like a normal Monday morning login, until it is too late.We told our employees MFA would keep them safe. We owe them a defence that actually does.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4147134/your-mfa-isnt-broken-its-being-bypassed-and-your-employees-cant-tell-the-difference.html
