A Man-in-the-Middle (MitM) attack is a broad type of cyberattack in which an attacker intercepts and manipulates communication between a user and a system, often to steal credentials or session tokens.
MitM attacks, also referred to as Attacker-in-the-Middle (AitM), can bypass MFA by capturing authenticated sessions in real time. In modern enterprise environments, MitM attacks increasingly take the form of browser-based attacks. For the rest of this article, we'll specifically discuss browser-based AitM attacks, unless otherwise stated.
How Attacker-in-the-Middle Attacks Work
A typical AitM attack follows a real-time interception model:
- User initiates a connection
A user logs into a fake login page impersonating a SaaS application like Microsoft 365, Okta, or Google Workspace. - Attacker intercepts communication
Because the user is interacting with an attacker-controlled webpage, the attacker sits between the user and the service. - Data is relayed and captured
The attacker forwards traffic to the legitimate application while collecting:
- User credentials
- Multi-factor authentication (MFA) tokens
- Session cookies
- Account compromise occurs
With a valid session token, the attacker now has access to the account.
This real-time interception is what makes AitM attacks especially dangerous since they operate within legitimate workflows.
Why AitM Attacks Are Rising
AitM campaigns have become more effective and more common due to several trends:
Browser-Based Workflows
Most enterprise activity now happens in the browser, making it the primary attack surface. As explored in Keep Aware’s blog on browser-based attacks redefining enterprise risk, attackers are increasingly abusing browsing activity.
MFA Bypass via Session Theft
AitM attacks can capture session cookies after MFA is completed, effectively bypassing one of the most widely trusted security controls.
Accessible Attack Tooling
Frameworks like reverse proxy phishing kits have made MitM techniques easier to deploy, even for less sophisticated attackers.
Common Types of MitM Attacks
Reverse Proxy Phishing Attacks
Attackers act as an intermediary server, relaying traffic between the user and the legitimate application while capturing credentials.
Session Hijacking
By stealing session cookies, attackers can impersonate users without needing credentials.
Malicious Browser Extensions
As highlighted in Keep Aware research on extension risk, compromised extensions can function as AitM attacks by accessing and modifying browser traffic.
How to Prevent AitM Attacks
1. Deploy Browser Detection and Response (BDR)
Some AitM attacks happen directly inside the browser, where traditional tools lack visibility.
BDR enables:
- Monitoring of live browser sessions
- Detection of malicious scripts and behaviors
- Visibility into extension activity
Learn more: What Is Browser Detection and Response (BDR)?
2. Control Browser Extensions
Unmanaged extensions expand attack surface and can introduce AitM-like risks. Best practice is to:
- Audit extension usage
- Restrict high-risk permissions
- Monitor extension behavior
3. Monitor for Browser-Based Threats
AitM attacks are part of a broader shift toward browser-native threats. Keep Aware’s blog on browser-based attacks redefining enterprise risk in 2025 highlights how attackers are increasingly:
- Targeting SaaS applications
- Abusing browser-based authorization flows
- Turning browser extensions into spyware
Key Takeaways
- An Attacker-in-the-Middle (AitM) attack intercepts and manipulates communication between users and applications
- Modern AitM attacks often bypass MFA by stealing session tokens
- Browser-based workflows have made AitM phishing attacks more likely
FAQs
1. What is a Man-in-the-Middle (MitM) attack?
A Man-in-the-Middle (MitM), also called an Attacker- or Adversary-in-the-Middle (AitM), attack is a cyberattack where an attacker secretly intercepts communication between a user and an application. The attacker can capture credentials, session tokens, or sensitive data without the user or system detecting the intrusion.
2. What is the difference between MitM and Attacker-in-the-Middle (AitM)?
MitM and Attacker-in-the-Middle (AitM) refer to the same attack type. AitM is commonly used to describe modern MitM attacks that use phishing proxy infrastructure to intercept login sessions and capture authentication data in real time.
3. How do MitM attacks bypass multi-factor authentication (MFA)?
MitM attacks bypass MFA by stealing session cookies after authentication is complete. Once the attacker has a valid session token, they can access the account without needing credentials or MFA again, effectively bypassing traditional authentication controls.
4. How can you detect a MitM attack?
MitM attacks can be detected by identifying unusual session behavior, such as token reuse across multiple IP addresses, logins from unexpected locations, suspicious activity immediately after authentication, and the presence of lookalike phishing domains.
5. How do you prevent Man-in-the-Middle attacks?
To prevent MitM attacks, organizations should implement browser detection and response (BDR), enforce phishing-resistant MFA like FIDO2, monitor session activity, apply conditional access policies, and control browser extensions that can introduce session-level risk.
.png)
