You click a link, sign in, approve the MFA prompt, and get on with your day. Completely unaware that someone else just logged into your account at the same moment.

That scenario surprises many businesses, particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts. But this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work. 

Rather than stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time.

MFA remains a core control, and getting it implemented correctly is still a critical first step for any business. 

But AiTM attacks exploit something MFA was never designed to protect: the trusted session that exists after authentication has already completed.

Phishing Has Moved Beyond Passwords

Phishing remains the most common starting point for account compromise, but the objective has changed. 

Traditional phishing collected usernames and passwords. Modern phishing is after something more immediately useful: the authenticated session itself.

Security researchers have documented a significant shift toward session and token theft, where attackers intercept the authentication process as it happens. 

Rather than reusing stolen credentials, which MFA typically blocks, they wait until the user successfully completes login, then steal the session token that proves it already occurred.

The technique has matured quickly. Phishing-as-a-Service (PhaaS) platforms now supply ready-made proxy toolkits that let even low-skilled attackers run AiTM campaigns targeting Microsoft 365 and Google Workspace. 

How AiTM Attacks Actually Work

The fake login page that isn’t fake

An AiTM phishing site is not a basic replica of a login page. It is a live reverse proxy.

The attacker’s infrastructure sits between the user and the real authentication service. Every keystroke, redirect, and server response flows through the attacker’s system in real time. From the user’s perspective, nothing looks wrong. 

The page behaves exactly like the real service, with correct branding, working redirects, and a functioning MFA prompt. In most cases, the only clue is a slightly altered URL that goes unnoticed on a mobile screen or when someone is under time pressure.

Why MFA doesn’t stop it

This is where many security assumptions fall apart.

MFA protects the moment of authentication, not what comes after it. 

Once a user successfully completes MFA, the service issues a session cookie. What this means is that the cookie signals to the application that the user is already verified. From that point, no password or MFA prompt is required. The system trusts the token. Whoever holds the cookie holds the access.

AiTM attacks simply wait for that cookie to be issued then steal it.

Microsoft tracked a 146% rise in AiTM attacks over the past year, as cybercriminals increasingly shift focus to accounts already protected by MFA.

Much of this increase is driven by PhaaS platforms like Evilginx that allow even low-skilled attackers to run convincing reverse-proxy campaigns at scale, targeting major cloud identity providers with minimal setup.

Session cookies

Session tokens act as bearer credentials. So, whoever possesses the token can access the account, with no password or MFA challenge required.

Once the cookie is stolen, the attacker imports it into their own browser and immediately resumes the session. 

This is a session replay attack. The attacker does not log in. They pick up where the legitimate user left off, inside a fully trusted, already-verified session.

What Happens After a Session Is Stolen

The aftermath of an AiTM attack tends to be quiet, which is precisely what makes it dangerous. 

The attacker is operating inside a legitimate, authenticated session. There are no failed MFA attempts, no unusual login alerts, and nothing in standard sign-in logs to signal a problem.

Research from Proofpoint shows that attackers who gain access through session hijacking commonly create hidden inbox rules to redirect mail, register additional MFA methods to lock in persistent access, monitor email threads for financial conversations, and use the trusted account to launch phishing campaigns against internal colleagues or finance teams.

These follow-on actions are a key reason AiTM attacks are frequently uncovered late, after financial fraud, data exposure, or wider network compromise has already begun.

Reducing Your Exposure

MFA is still essential. Building strong authentication practices remains the starting baseline. But reducing AiTM risk requires controls that extend beyond the login event itself.

Adopt phishing-resistant MFA

Methods like FIDO2 hardware keys and passkeys bind authentication to the specific device and the legitimate domain. A proxy in the middle cannot relay them: the process fails if the URL is not the real one. 

The Canadian Centre for Cyber Security analyzed over 100 AiTM campaigns targeting Microsoft Entra ID accounts. It found that phishing-resistant MFA consistently blocked session theft where standard MFA methods (including push notifications and one-time passcodes) did not.

Tighten Conditional Access policies

Risk-based access controls evaluate additional signals, including device compliance, IP location, and session behavior, rather than treating every authenticated session as permanently trusted. 

Configured correctly, these policies can detect and block anomalous access even when a stolen session token appears valid.

Monitor for post-login anomalies

Detecting AiTM compromise typically means watching for activity after login: new MFA method registrations, inbox rules created outside business hours, access from unfamiliar locations, or unusual data activity. 

Authentication logs alone will not surface the problem.

Train users on URL awareness

Employees who understand that a working MFA prompt on an unfamiliar-looking page still represents a risk are better positioned to pause, check the URL, and report before a session is compromised. A brief team walkthrough of what AiTM lures look like in Microsoft 365 contexts can meaningfully reduce exposure.

Stop Protecting Just the Login Screen

MFA is a baseline, not a finish line. The businesses that reduce AiTM risk are the ones that understand how sessions, tokens, and identity trust actually work . And they build controls around each layer, not just the login screen.

Want to review your identity security controls? 

Contact us or schedule a consultation to identify the gaps that matter most before an incident does it for you.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.

After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all.

That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session.

This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line. 

When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early.

Why MFA Isn’t a “Game Over” Control

MFA is still one of the best upgrades most businesses can make, but it doesn’t end an attack on its own. The reason is that attackers don’t always try to beat the login step. They try to go around it.

Cloudflare notes that “attackers are finding new ways to circumvent MFA” and that modern incidents are rarely one isolated technique. They’re “part of a chain of attacks.” 

In other words, MFA can block a lot of credential theft, but it doesn’t automatically protect what happens after a user successfully signs in. 

That’s where session cookie hijacking comes in. 

Microsoft has described adversary-in-the-middle phishing campaigns where attackers use a reverse-proxy site to “steal and intercept” a user’s password and the session cookie that proves they have an authenticated session. 

This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re reusing the session. 

What a Session Cookie Is and Why Attackers Want It

When you sign into a web app, the site needs a way to remember that you’ve already proved who you are. That’s what a session is: a temporary “logged-in” state that saves you from entering your password and MFA code on every click. 

Kaspersky explains that session hijacking is “sometimes called cookie hijacking” because cookies are commonly used to store the session identifier that keeps you authenticated. 

Attackers want that session identifier because it’s the shortcut. 

Proofpoint describes session tokens as digital “keys” that let a user stay authenticated. It warns that stealing valid tokens lets attackers impersonate legitimate users and potentially bypass authentication measures “like MFA.” 

That’s why session cookie hijacking is so highly leveraged. 

If an attacker can steal the cookie or token that represents your active session, they’re not trying to defeat the login process. They’re attempting to reuse what you already completed, and access the same apps and data as if they were sitting at your keyboard.

How Session Cookie Hijacking Actually Happens

A lot of teams picture “account takeover” as someone guessing a password or tricking a user into approving an MFA prompt. 

Session cookie hijacking is different. The attacker’s goal is to steal the proof that you’re already logged in, then reuse it, often without triggering another sign-in challenge.

1.) AiTM phishing 

Adversary-in-the-middle (AiTM) phishing is the “proxy login” trap. 

You think you’re signing into a normal service, but you’re actually signing into a lookalike page that sits between you and the real site. The attacker relays the login in real time, so everything appears to work, including MFA.

Attackers use AiTM phishing sites to “steal and intercept” a user’s password and the session cookie that proves the authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re capturing the session after MFA is completed and reusing it. 

One such campaign “attempted to target more than 10,000 organisations” since September 2021, which shows how scalable this approach has become. 

2.) Browser-in-the-Middle session stealing

Browser-in-the-middle (BitM) is similar in spirit, but it’s even more “hands-on” from the attacker’s side. 

Instead of stealing a password and running away, the attacker effectively places themselves in control of the browsing session.

Google’s threat intelligence says, “Stealing this session token is the equivalent of stealing the authenticated session.” Once the token is stolen, “an adversary would no longer need to perform the MFA challenge.” 

In other words, the attacker isn’t trying to authenticate instead of you. They’re trying to ride along after you’ve authenticated.

3.) Cookie theft from the endpoint

Not every session hijack starts with a fancy proxy. Sometimes the attacker simply steals session data from the device itself.

Stealing valid session tokens allows attackers to impersonate legitimate users. Tokens act like digital “keys.” If an endpoint is compromised, those “keys” can be extracted and reused.

Invicti explains that an attacker steals HTTP cookies and can gain access. The goal is often to obtain sensitive information stored in cookies. 

MFA Is a Baseline, Not a Finish Line

MFA is still essential. It blocks a huge amount of credential theft and makes basic account takeover harder. But session cookie hijacking is a reminder that attackers don’t always try to defeat the login step. Sometimes they reuse what happens after it.

The practical response is layered and realistic. Make phishing harder to pull off, and treat device health as part of identity. Tighten session behaviour for high-risk apps. Watch for suspicious access patterns that suggest a session is being replayed.

When those controls work together, MFA stops being a comforting checkbox and becomes what it should be: a strong baseline that’s backed by protections around the session itself.

Contact us today for help protecting your login sessions from hijacking.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

For years, enabling Multi-Factor Authentication (MFA) has been a cornerstone of account and device security. While MFA remains essential, the threat landscape has evolved, making some older methods less effective.

The most common form of MFA, four- or six-digit codes sent via SMS, is convenient and familiar, and it’s certainly better than relying on passwords alone. However, SMS is an outdated technology, and cybercriminals have developed reliable ways to bypass it. For organizations handling sensitive data, SMS-based MFA is no longer sufficient. It’s time to adopt the next generation of phishing-resistant MFA to stay ahead of today’s attackers.

SMS was never intended to serve as a secure authentication channel. Its reliance on cellular networks exposes it to security flaws, particularly in telecommunication protocols such as Signaling System No. 7 (SS7), used for communication between networks.

Attackers know that many businesses still use SMS for MFA, which makes them appealing targets. For instance, hackers can exploit SS7 vulnerabilities to intercept text messages without touching your phone. Techniques such as eavesdropping, message redirection, and message injection can be carried out within the carrier network or during over-the-air transmission.

SMS codes are also vulnerable to phishing. If a user enters their username, password, and SMS code on a fake login page, attackers can capture all three in real time and immediately gain access the legitimate account.

Understanding SIM Swapping Attacks

One of the most dangerous threats to SMS-based security is the SIM swap. In SIM swapping attacks, a criminal contacts your mobile carrier pretending to be you and claims to have lost their phone. They then request the support staff to port your number to a new blank SIM card in their possession.

If they succeed, your phone goes offline, allowing them to receive all calls and SMS messages, including MFA codes for banking and email. Without knowing your password, they can quickly reset credentials and gain full access to your accounts.

This attack doesn’t depend on advanced hacking skills; instead, it exploits social engineering tactics against mobile carrier support staff, making it a low-tech method with high‑impact consequences.

Why Phishing-Resistant MFA Is the New Gold Standard

To prevent these attacks, it’s essential to remove the human element from authentication by using phishing-resistant MFA. This approach relies on secure cryptographic protocols that tie login attempts to specific domains.

One of the more prominent standards used for such authentication is Fast Identity Online 2 (FIDO2) open standard, that uses passkeys created using public key cryptography linking a specific device to a domain. Even if a user is tricked into clicking a phishing link, their authenticator application will not release the credentials because the domain does not match the specific record. 

The technology is also passwordless, which removes the threat of phishing attacks that capture credentials and one-time passwords (OTPs). Hackers are forced to target the endpoint device itself, which is far more difficult than deceiving users.

Implementing Hardware Security Keys

Perhaps one of the strongest phishing-resistant authentication solutions involves hardware security keys. Hardware security keys are physical devices resembling a USB drive, which can be plugged into a computer or tapped against a mobile device.

To log in, you simply insert the key into the computer or touch a button, and the key performs a cryptographic handshake with the service. This method is quite secure since there are no codes to type, and attackers can’t steal your key over the internet. Unless they physically steal the key from you, they cannot access your account.

Mobile Authentication Apps and Push Notifications

If physical keys are not feasible for your business, mobile authenticator apps such as Microsoft or Google Authenticator are a step up from SMS MFA. These apps generate codes locally on the device, eliminating the risk of SIM swapping or SMS interception since the codes are not sent over a cellular network.

Simple push notifications also carry risks. For example, attackers may flood a user’s phone with repeated login approval requests, causing “MFA fatigue,” where a frustrated or confused user taps “approve” just to stop the notifications. Modern authenticator apps address this with “number matching,” requiring the user to enter a number shown on their login screen into the app. This ensures the person approving the login is physically present at their computer.

Passkeys: The Future of Authentication

With passwords being routinely compromised, modern systems are embracing passkeys, which are digital credentials stored on a device and protected by biometrics such as fingerprint or Face ID. Passkeys are phishing-resistant and can be synchronized across your ecosystem, such as iCloud Keychain or Google Password Manager. They offer the security of a hardware key with the convenience of a device that you already carry. 

Passkeys reduce the workload for IT support, as there are no passwords to store, reset, or manage. They simplify the user experience while strengthening security.

Balancing Security With User Experience

Moving away from SMS-based MFA requires a cultural shift. Since users are already used to the universality and convenience of text messages, the introduction of physical keys and authenticator apps can trigger resistance. 

It’s important to explain the reasoning behind the change, highlighting the realities of SIM-swapping attacks and the value of the protected information. When users understand the risks, they are more likely to embrace the new measures.

While a phased rollout can help ease the transition for the general user base, phishing-resistant MFA should be mandatory for privileged accounts. Administrators and executives must not rely on SMS-based MFA.

The Costs of Inaction

Sticking with legacy MFA techniques is a ticking time bomb that gives a false sense of security. While it may satisfy compliance requirements, it leaves systems vulnerable to attacks and breaches, which can be both costly and embarrassing. 

Upgrading your authentication methods offers one of the highest returns on investment in cybersecurity. The cost of hardware keys or management software is minimal compared to the expense of incident response and data recovery.

Is your business ready to move beyond passwords and text codes? We specialize in deploying modern identity solutions that keep your data safe without frustrating your team. Reach out, and we’ll help you implement a secure and user-friendly authentication strategy.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

The modern office extends far beyond traditional cubicles or open-plan spaces. Since the concept of remote work became popularized in the COVID and post-COVID era, employees now find themselves working from their homes, libraries, bustling coffee shops, and even vacation destinations. These environments, often called “third places,” offer flexibility and convenience but can also introduce risks to company IT systems.

With remote work now a permanent reality, businesses must adapt their security policies accordingly. A coffee shop cannot be treated like a secure office, as its open environment exposes different types of threats. Employees need clear guidance on how to stay safe and protect company data.

Neglecting security on public Wi-Fi can have serious consequences, as hackers often target these locations to exploit remote workers. Equip your team with the right knowledge and tools, and enforce a robust external network security policy to keep company data safe.

The Dangers of Open Networks

Free internet access is a major draw for remote workers frequenting cafes, malls, libraries, and coworking spaces. However, these networks rarely have encryption or strong security, and even when they do, they lack the specific controls that would be present in a secure company network. This makes it easy for cybercriminals to intercept network traffic and steal passwords or sensitive emails in a matter of seconds.

Attackers often set up fake networks that look legitimate. They might give them names such as “Free Wi-Fi” or give them a name resembling a nearby business, such as a coffee shop or café, to trick users. Once connected, the hacker who controls the network sees everything the employee sends. This is a classic “man-in-the-middle” attack.

It is critical to advise employees never to rely on open connections. Networks that require a password may still be widely shared, posing significant risks to business data. Exercise caution at all times when accessing public networks.

Mandating Virtual Private Networks

The most effective tool for remote security is a VPN. A Virtual Private Network encrypts all data leaving the laptop by creating a secure tunnel through the unsecured public internet. This makes the data unreadable to anyone trying to snoop.

Providing a VPN is essential for remote work, and employees should be required to use it whenever they are outside the office. Ensure the software is easy to launch and operate, as overly complex tools may be ignored. Whenever possible, configure the VPN to connect automatically on employee devices, eliminating human error and ensuring continuous protection.

At the same time, enforce mandatory VPN usage by implementing technical controls that prevent employees from bypassing the connection when accessing company servers.

The Risk of Visual Hacking

Digital threats are not the only concern in public spaces since someone sitting at the next table can easily glance at a screen. Visual hacking involves stealing information just by looking over a shoulder, which makes it low-tech but highly effective and hard to trace.

Employees often forget how visible their screens are to passersby, and in a crowded room full of prying eyes, sensitive client data, financial spreadsheets, and product designs are at risk of being viewed and even covertly photographed by malicious actors. 

To address this physical security gap, issue privacy screens to all employees who work remotely. Privacy screens are filters that make laptop and monitor screens appear black from the side, and only the person sitting directly in front can see the content. Some devices come with built-in hardware privacy screens that obscure content so that it cannot be viewed from an angle. 

Physical Security of Devices

Leaving a laptop unattended is a recipe for theft. In a secure office, you might walk away to get water or even leave the office and expect to find your device in the same place, untouched. In a coffee shop, that same action can cost you a device, since thieves are always scanning for distracted victims and are quick to act.

Your remote work policy should stress the importance of physical device security. Employees must keep their laptops with them at all times and never entrust them to strangers. A laptop can be stolen and its data accessed in just seconds.

Encourage employees to use cable locks, particularly if they plan to remain in one location for an extended period. While not foolproof, locks serve as a deterrent, especially in coworking spaces where some level of security is expected. The goal is to make theft more difficult, and staying aware of the surroundings helps employees assess potential risks.

Handling Phone Calls and Conversations

Coffee shops can be noisy, but conversations still travel through the air. Discussing confidential business matters in public is risky, as you never know who might be listening. Competitors or malicious actors could easily overhear sensitive information.

Employees should avoid discussing sensitive matters in these “third places.” If a call is necessary, they should step outside or move to a private space, such as a car. While headphones prevent others from hearing the other side, the employee’s own voice can still be overheard.

Creating a Clear Remote Work Policy

Employees shouldn’t have to guess the rules. A written policy clarifies expectations, sets standards, and supports training and enforcement.

Include dedicated sections on public Wi-Fi and physical security, and explain the reasoning behind each rule so employees understand their importance. Make sure the policy is easily accessible on the company intranet.

Most importantly, review this policy annually as technology changes. As new threats emerge, your guidelines must also evolve to counter them. Make routine updates to the policy, and reissue the revised versions to keep the conversation about security alive and ongoing.

Empower Your Remote Teams

While working from a “third place” offers flexibility and a morale boost, it also requires a higher level of vigilance. This makes prioritizing public Wi-Fi security and physical awareness non-negotiable, and you must equip your team to work safely from anywhere.

With the right tools and policies, you can manage the risks while enjoying the benefits of remote work. Success comes from balancing freedom with responsibility, and well-informed employees serve as your strongest line of defense. Protect your data, no matter where your team works.

Is your team working remotely without a safety net? We help businesses implement secure remote access solutions and policies, ensuring your data stays private, even on public networks. Call us today to fortify your remote workforce.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Modern businesses depend on third-party apps for everything from customer service and analytics to cloud storage and security. But this convenience comes with risk, every integration introduces a potential vulnerability. In fact, 35.5% of all recorded breaches in 2024 were linked to third-party vulnerabilities. 

The good news? These risks can be managed. This article highlights the hidden dangers of third-party API integrations and provides a practical checklist to help you evaluate any external app before adding it to your system.

Why Third-Party Apps Are Essential in Modern Business 

Simply put, third-party integrations boost efficiency, streamline operations, and improve overall productivity. Most businesses do not create each technology component from scratch. Instead, they rely on third-party apps and APIs to manage everything from payments to customer support, analytics, email automation, chatbots, and more. The aim is to speed up development, cut costs, and gain access to features that might take months to build internally. 

What Are the Hidden Risks of Integrating Third-Party Apps? 

Adding third-party apps to your systems invites several risks, including security, privacy, compliance, and operational and financial vulnerabilities.

Security Risks

Third-party integrations can introduce unexpected security risks into your business environment. A seemingly harmless plugin may contain malware or malicious code that activates upon installation, potentially corrupting data or allowing unauthorized access. Once an integration is compromised, hackers can use it as a gateway to infiltrate your systems, steal sensitive information, or cause operational disruptions.

Privacy and Compliance Risks

Even with strong contractual and technical controls, a compromised third-party app can still put your data at risk. Vendors may gain access to sensitive information and use it in ways you never authorized, such as storing it in different regions, sharing it with other partners, or analyzing it beyond the agreed purpose. For instance, misuse of a platform could lead to violations of data protection laws, exposing your organization to legal penalties and reputational damage.

Operational and Financial Risks

Third-party integrations can affect both operations and finances. If an API fails or underperforms, it can disrupt workflows, cause outages, and impact service quality. Weak credentials or insecure integrations can be exploited, potentially leading to unauthorized access or costly financial losses.

What to Review Before Integrating a Third-Party API 

Before you connect any app, take a moment to give it a careful check-up. Use the checklist below to make sure it’s safe, secure, and ready to work for you.

1. Check Security Credentials and Certifications: Make sure the app provider has solid, recognized security credentials, such as ISO 27001, SOC 2, or NIST compliance. Ask for audit or penetration test reports and see if they run a bug bounty program or have a formal vulnerability disclosure policy. These show the vendor actively looks for and addresses security issues before they become a problem.
2. Confirm Data Encryption: You might not be able to inspect a third-party app directly, but you can review their documentation, security policies, or certifications like ISO 27001 or SOC. Ask the vendor how they encrypt data both in transit and at rest, and make sure any data moving across networks uses strong protocols like TLS 1.3 or higher.
3. Review Authentication & Access: Make sure the app uses modern standards like OAuth2, OpenID Connect, or JWT tokens. Confirm it follows the principle of least privilege, giving users only the access they truly need. Credentials should be rotated regularly, tokens kept short-lived, and permissions strictly enforced.
4. Check Monitoring & Threat Detection: Look for apps that offer proper logging, alerting, and monitoring. Ask the vendor how they detect vulnerabilities and respond to threats. Once integrated, consider maintaining your own logs to keep a close eye on activity and spot potential issues early.
5. Verify Versioning & Deprecation Policies: Make sure the API provider maintains clear versioning, guarantees backward compatibility, and communicates when features are being retired.
6. Rate Limits & Quotas: Prevent abuse or system overload by confirming the provider supports safe throttling and request limits.
7. Right to Audit & Contracts: Protect yourself with contractual terms that allow you to audit security practices, request documentation, and enforce remediation timelines when needed.
8. Data Location & Jurisdiction: Know where your data is stored and processed, and ensure it complies with local regulations.
9. Failover & Resilience: Ask how the vendor handles downtime, redundancy, fallback mechanisms, and data recovery, because no one wants surprises when systems fail.
10. Check Dependencies & Supply Chain: Get a list of the libraries and dependencies the vendor uses, especially open-source ones. Assess them for known vulnerabilities to avoid hidden risks.

Vet Your Integrations Today 

No technology is ever completely risk-free, but the right safeguards can help you manage potential issues. Treat third-party vetting as an ongoing process rather than a one-time task. Continuous monitoring, regular reassessments, and well-defined safety controls are essential.

If you want to strengthen your vetting process and get guidance from experts with experience building secure systems, we can help. Our team has firsthand experience in cybersecurity, risk management, and business operations, and we provide practical solutions to help you protect your business and operate more safely.

Build your confidence, tighten your integrations, and ensure that every tool in your stack works for you rather than against you. Call us today and take your business to the next level.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.