What is Attacker in the Middle?

An Attacker (or Adversary) in the Middle, often shortened to AitM, is the modern evolution of what many people still call a Man in the Middle attack.  

In simple terms, it happens when a cyber criminal inserts themselves between a user and a legitimate service, such as Microsoft 365, a banking portal, a cloud app, or even a public Wi-Fi connection, so they can monitor, steal, or alter what is being sent.  

Think of it as an attacker intercepting communication between two systems, such as your device and the internet whilst connected to a compromised or fake Wi-Fi network. Microsoft’s recent threat reporting shows that AitM phishing is now commonly used to steal not just usernames and passwords, but also session cookies that can let attackers bypass Multi-Factor Authentication (MFA) by cloning an active browser session and gain access to a logged in user session.  

Unfortunately, Attacker in the Middle attacks are designed to go unnoticed, instead finding ways to steal data in transit or redirect users to a compromised or malicious site designed to launch further attacks. The user may visit what appears to be a genuine login page, enter the correct password, approve an MFA prompt, and still be compromised. That is because the attacker is not always trying to break the login process. Instead, they are intercepting and replicating the process in real time, capturing the credentials and the authenticated session after login.  

 

What does Attacker in the Middle (AitM) mean? 

An Attacker in the Middle (AitM) attack is a method used to intercept communications and data between a victim device and a trusted service, potentially even rerouting traffic to malicious services to capture data. Historically this would happen on insecure networks, but modern AitM attacks are often sit between the user and a real cloud login page. This could be both on insecure networks, or in the form of an attacker gaining access to an insecure device to monitor and capture this data in real time. The victim thinks they are signing in normally. However, in reality, the attacker is relaying traffic through their own infrastructure, capturing login details and session tokens as the process happens.  

This is why Attacker in the Middle is more dangerous than many traditional phishing attacks. A normal phishing style attack may steal user account credentials such as a username/email and password. But, an Attacker in the Middle attack could steal those same credentials and relay the MFA challenge in real time, potentially also capturing the authenticated session token. With that stolen session, an attacker may be able to access your emails to monitor and launch further attacks, access services such as Teams, SharePoint (and other cloud files), or other business systems without needing to trigger another login prompt.  

 

Is Attacker in the Middle the same as Man in the Middle? 

Yes.  

In most business and technical conversations, Attacker in the Middle, Adversary in the Middle, and Man in the Middle are all referring to the same broad concept and method of attack which has continued to evolve.  

The term Attacker in the Middle (AitM) is increasingly used because it is a more precise way to describe modern cyber attacks which do not always need access to a compromised network, especially when discussing phishing proxies, session hijacking, and cloud account compromise.  

 

How does an Attacker in the Middle (AitM) attack actually work? 

A common Attacker in the Middle attack usually follows a clear pattern. 

The user receives a convincing email, clicks on a legitimate looking advert (Malvertising), scans a legitimate looking QR code, shared document notification, or other kind of fake alert. They click through to what looks like a legitimate looking sign-in page for Microsoft 365, Google, Amazon, Facebook, or another trusted platform. However, that login page is actually controlled by the attacker and silently proxies the traffic to the real service. The victim enters their username/email and password, even completes an MFA (Multi-Factor Authentication) challenge request, and the attacker captures the resulting authenticated session.  

Once that session is stolen, the attacker can move quickly through your online account. In the case of Linus Media Group who’s X/Twitter account was targeted in such an attack in 2025, the attackers captures login credentials following a phishing email before intercepting an MFA request in real time, they were quickly able to lock out logged in accounts, reset the login credentials for the account, and post harmful content on their social media to attempt to extort money from what their followers believed to be a trusted account.  

If this was for your business emails for example, they may log into the mailbox, create malicious inbox rules to capture or forward inbound emails, monitor conversations, steal data, or launch business email compromise attacks by sending messages from your genuine account.  

Microsoft has even highlighted where cookie theft led to mailbox access and attempted financial fraud and later reported a more recent multi-stage campaign in which attackers abused SharePoint file sharing, created inbox rules, and used compromised accounts for follow-on attacks.  

 

Examples of Attacker in the Middle attacks in the news 

As the above examples show, Attacker in the Middle attacks are not theoretical. It is actively being used in real attacks affecting businesses around the world. But that is also not the only example; 

In January 2026, Microsoft disclosed a multi-stage AitM phishing and business email compromise campaign targeting businesses in the energy sector. According to Microsoft, the attackers abused SharePoint file sharing to deliver phishing payloads, then manipulated inbox rules to hide their activity and maintain persistence after compromising accounts.  

In March 2026, Europol announced action against Tycoon 2FA, a phishing-as-a-service platform built to support Attacker in the Middle attacks. Europol said that by mid-2025 Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft and 89% of Phishing-as-a-Service (PhaaS) attacks seen by Barracuda threat analysts. Microsoft and partners disrupted infrastructure associated with the service, while Proofpoint reported that Microsoft seized 330 control panel domains linked to the platform. These services made it easier for criminals to impersonate trusted brands and harvest credentials and session cookies at scale. However, recent reports (April 2026) indicate that Tycoon 2FA tools are now being used across other PhaaS platforms and that other tools such as Mamba 2FA, Sneaky 2FA and Evil Proxy are absorbing the gap created following the downfall of Tycoon 2FA. 

In April 2026, the UK’s National Cyber Security Centre warned that APT28 had been exploiting vulnerable small office and home office routers to carry out DNS hijacking, enabling attacker-in-the-middle attacks that led to the theft of passwords and authentication tokens. This is an important reminder that AitM is not limited to fake login pages. It can also happen lower down in the network path, through compromised network devices (such as Wi-Fi routers or Access Points) when an attacker interferes with how devices connect to and reach legitimate services.  

 

Can fake Wi-Fi networks be used for Attacker in the Middle attacks? 

Yes, this remains one of the easiest examples for people to understand how an Attacker-in-the-Middle attack works. Why? Because in this example, an attacker could quite literally be in the middle of the connection between your device and the internet. 

A fake Wi-Fi network, sometimes called an evil twin, is a rogue hotspot designed to look legitimate. It could be something such as “FREE Café WiFi”, “Hotel Guest WiFi”, “Conference Free WiFi”, or the actual name of a nearby café or office.  

If a user connects to one of these illegitimate networks, the attacker may be able to inspect and monitor traffic across the Wi-Fi connection, redirect the victim from legitimate pages to phishing pages, inject malicious content such as adverts, or trick them into logging into fake portals. The FTC still warns that many Public Wi-Fi Networks are not secure and notes that insecure Public Wi-Fi can expose users to account hijacking and impersonation risks if traffic is not properly protected.  

It is true that widespread HTTPS encryption has made public Wi-Fi safer than it used to be, but that does not remove the risk, and the threats of being redirected to a malicious page designed to capture your data are still present. The FTC specifically warns that scammers can still create fake websites that use encryption, which means a padlock alone does not prove the destination is trustworthy. A secure connection to a fake site is still a compromise.  

How do Cyber Criminals launch Fake Wi-Fi Attacks? 

A Wi-Fi Pineapple is a device commonly associated with rogue access point and wireless interception testing. In the wrong hands, a device like this can be used to impersonate trusted wireless networks, encourage nearby devices to connect automatically to known networks, and position the attacker to carry out captive portal phishing, traffic interception, or traffic redirection to malicious pages. 

Regardless of the method of attack, the goal is the same: trick people into joining an attacker-controlled network so traffic can be observed, manipulated or captured. This can be especially dangerous at trade events, shared offices, cafés, hotels, airports, and other public venues where users expect guest wireless access. 

 

Can an Attacker-in-the-Middle attack happen anywhere else? 

Attacker-in-the-Middle attacks are not limited to email phishing, malvertising, or compromised networks. 

In addition to email phishing pages that emulate Microsoft 365 or Google login screens (as well as many others). QR code phishing has seen a drastic rise in recent years, these are often places over legitimate QR codes and push the user to a fake mobile login or data/payment capture page. By taking advantage of peoples trust in what they feel is a legitimate brand QR code, attackers can launch these same Attacker-in-the-Middle style attacks. 

 

How can businesses protect themselves from Attacker-in-the-Middle attacks? 

The business impact can be severe because the attacker is often hijacking trust rather than simply stealing login credentials. 

A compromised login session can give access to email, documents, Teams chats, SharePoint files, OneDrive data, internal processes, supplier/customer conversations and much more besides. These can lead to invoice fraud, payroll diversion, data theft, impersonation attacks against suppliers/customers, and wider lateral movement to launch further attacks on your business. This is why it is important to have more control over how devices can access your critical business accounts and infrastructure. 

Yes, it is important to have complex passwords and multi-factor authentication. However, as Attacker-in-the-Middle attacks continue to rise, it is becoming more important than ever that businesses adopt a Zero Trust approach to their online accounts and implement wider network controls for devices that are not covered by traditional tools. 

Protection requires more than one control. Much like ogres (Shrek reference anyone?) Businesses need to have layers. Layers to their cyber defence that is. 

It is essential that businesses strengthen identity security with conditional access, impossible location detection, suspicious sign-in monitoring, and rapid session revocation when compromise is suspected. But more is required. 

Secure email is another critical layer. As we have covered, many Attacker-in-the-Middle attacks begin with phishing, shared document lures, spoofed business communications, or QR code campaigns. Advanced Email Threat Protection inspects links, attachments, sender domain and reputation, impersonation signals, and suspicious intent before the user ever see’s the email or clicks on a link. This is becoming even more important as phishing attacks become more polished and convincing, especially when they mimic Microsoft 365 branding or trusted suppliers. 

User awareness and training also matters. Employees should know that a convincing sign-in page is not automatically safe, that MFA challenge requests/codes should never be accepted or shared blindly, and that public Wi-Fi and QR codes both carry risk when they lead to unexpected login prompts. A fast-reporting culture is essential because early action can be the difference between a blocked phishing attempt and a full account takeover. But new security controls for businesses are ensuring that regardless of the attack vector, that critical business accounts are protected from Attacker-in-the-Middle style attacks. 

Zero Trust Cloud Access goes beyond Web Gateway Security and Identity Access Management, which would monitor the websites that you visit to for malicious content or activity. Zero Trust Cloud Access ensures that only trusted devices can access your business critical online accounts and does so by creating a connection through only trusted network infrastructure. 

 

How can TwentyFour IT Services help protect your business? 

At TwentyFour IT Services, protecting businesses from modern cyber security threats means that we have to keep up to date with the latest trends in the cyber threat landscape. As Attacker-in-the-Middle attacks have evolved, combining people, process, and technology both inside and away from the business network, we have evolved to meet and defend from these growing threats. 

We help businesses reduce exposure through a layered approach with Advanced Email Threat Protection, stronger identity and access management, carefully configured MFA and conditional access policies, Zero Trust Network Access and Zero Trust Cloud Access, Endpoint Detection and Response, active monitoring, and ongoing user education about the latest threats.  

If you would like to find out more and understand if your business it protected from an Attacker-in-the-Middle style attack, reach out to our expert team for a Free Cyber Health Check. 

Enquire Here