Article Summary: Adversary-in-the-Middle (AiTM) attacks are a modern phishing technique that steals active login sessions instead of just passwords. Understanding how AiTM works helps businesses reduce exposure to phishing-resistant sign-ins, tighter session controls and faster detection of suspicious access.
You click a link, sign in, approve the MFA prompt and get on with your day while completely unaware that someone else just logged into your account at the same moment.
That scenario surprises many businesses and particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts. However, this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work.
Rather than stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time.
MFA remains a core control and getting it implemented correctly is still a critical first step for any business.
AiTM attacks exploit something MFA was never designed to protect which is the trusted session that exists after authentication has already completed.
Phishing Has Moved Beyond Passwords
Phishing remains the most common starting point for account compromise but the objective has changed.
Traditional phishing collected usernames and passwords. Modern phishing is after something more immediately useful which is the authenticated session itself.
Security researchers have documented a significant shift toward session and token theft where attackers intercept the authentication process as it happens.
Rather than reusing stolen credentials (which MFA typically blocks) they wait until the user successfully completes login and then steal the session token that proves it already occurred.
The technique has matured quickly. Phishing-as-a-Service (PhaaS) platforms now supply ready-made proxy toolkits that let even low-skilled attackers run AiTM campaigns targeting Microsoft 365 and Google Workspace.
How AiTM Attacks Actually Work
The fake login page that isn’t fake.
An AiTM phishing site is not a basic replica of a login page. It is a live reverse proxy.
The attacker’s infrastructure sits between the user and the real authentication service. Every keystroke, redirect and server response flows through the attacker’s system in real time. From the user’s perspective, nothing looks wrong.
The page behaves exactly like the real service with correct branding, working redirects and a functioning MFA prompt. In most cases, the only clue is a slightly altered URL that goes unnoticed on a mobile screen or when someone is under time pressure.
Why doesn't MFA stop it?
This is where many security assumptions fall apart.
MFA protects the moment of authentication but not what comes after it.
Once a user successfully completes MFA, the service issues a session cookie. What this means is that the cookie signals to the application that the user is already verified. From that point, no password or MFA prompt is required. The system trusts the token. Whoever holds the cookie holds the access.
AiTM attacks simply wait for that cookie to be issued and then steal it.
Microsoft tracked a 146% rise in AiTM attacks over the past year as cybercriminals increasingly shift focus to accounts already protected by MFA.
Much of this increase is driven by PhaaS platforms like Evilginx that allow even low-skilled attackers to run convincing reverse-proxy campaigns at scale while targeting major cloud identity providers with minimal setup.
Session Cookies
Session tokens act as bearer credentials. Whoever possesses the token can access the account with no password or MFA challenge required.
Once the cookie is stolen, the attacker imports it into their own browser and immediately resumes the session.
This is a session replay attack. The attacker does not log in. They pick up where the legitimate user left off inside a fully trusted and already-verified session.
What Happens After a Session Is Stolen
The aftermath of an AiTM attack tends to be quiet which is precisely what makes it dangerous.
The attacker is operating inside a legitimate authenticated session. There are no failed MFA attempts, no unusual login alerts and nothing in standard sign-in logs to signal a problem.
Research from Proofpoint shows that attackers who gain access through session hijacking commonly create hidden inbox rules to redirect mail, register additional MFA methods to lock in persistent access, monitor email threads for financial conversations and use the trusted account to launch phishing campaigns against internal colleagues or finance teams.
These follow-on actions are a key reason AiTM attacks are frequently uncovered late after financial fraud, data exposure or wider network compromise has already begun.
Reducing Your Exposure
MFA is still essential. Building strong authentication practices remains the starting baseline but reducing AiTM risk requires controls that extend beyond the login event itself.
Adopt Phishing-Resistant MFA
Methods like FIDO2 hardware keys and passkeys bind authentication to the specific device and the legitimate domain. A proxy in the middle cannot relay them. The process fails if the URL is not the real one.
The Canadian Centre for Cyber Security analyzed over 100 AiTM campaigns targeting Microsoft Entra ID accounts. It found that phishing-resistant MFA consistently blocked session theft where standard MFA methods (including push notifications and one-time passcodes) did not.
Tighten Conditional Access Policies
Detecting AiTM compromise typically means watching for activity after login: new MFA method registrations, inbox rules created outside business hours, access from unfamiliar locations or unusual data activity.
Authentication logs alone will not surface the problem.
Train Users on URL Awareness
Employees who understand that a working MFA prompt on an unfamiliar-looking page still represents a risk are better positioned to pause, check the URL and report before a session is compromised. A brief team walkthrough of what AiTM lures look like in Microsoft 365 contexts can meaningfully reduce exposure.
Stop Protecting Just the Login Screen
MFA is a baseline rather than a finish line. The businesses that reduce AiTM risk are the ones that understand how sessions, tokens and identity trust actually work and they build controls around each layer rather than just the login screen.
Want to review your identity security controls?
Contact us or schedule a consultation to identify the gaps that matter most before an incident does it for you.
Article FAQs
What is an Adversary-in-the-Middle (AiTM) attack?
An AiTM attack is a phishing technique where attackers use a proxy to intercept login sessions in real time which allows them to steal session cookies after authentication completes.
Can AiTM attacks bypass MFA?
Yes but not by breaking MFA. AiTM attacks wait until MFA succeeds and then steal the authenticated session token so no further verification is required.
How can businesses reduce the risk of AiTM attacks?
Using phishing-resistant MFA, tightening conditional access policies, training users and monitoring for unusual session behavior all help reduce exposure.
Article summary: Passwords are the most common entry point for business data breaches and complexity rules or standard MFA still leave credential theft on the table. Passkeys are phishing-resistant by design and now supported across every major platform. A phased passkey migration reduces your attack surface, cuts IT support overhead and replaces the most exploited vulnerability in your security stack without disrupting daily work.
Every breach starts somewhere.
More often than not, it starts with a login.
A staff member reuses a password from an old account. Someone approves a convincing phishing page without a second look. A credential stolen months earlier gets quietly tested against your systems until one of them opens.
Passwords were not built for the speed or scale of today's attacks. They rely on people to remember, rotate and protect a string of characters under conditions that make that increasingly unrealistic.
That is what passkeys are designed to fix.
Getting proper authentication controls in place for your team is no longer a complicated project. Passkeys are built into the devices your staff already use and migrating to them is more manageable than most small businesses expect.
Why Passwords Are Failing Your Business
The fundamental problem with passwords is that they are shared secrets. Your system stores them. Your staff carries them. Attackers collect them at scale.
Compromised credentials were involved in over 80% of data breaches in 2024.
Verizon's 2024 Data Breach Investigations Report found that stolen or weak credentials were a factor in the vast majority of incidents studied. The attacks have gotten faster and more automated but the entry point stays the same.
Tactics like password spraying (where attackers test a short list of common passwords across hundreds of accounts) are designed to slip past lockout policies entirely. A staff member who follows every password rule can still become an entry point if their credentials have appeared in an unrelated breach somewhere else.
Password resets make the picture worse. Each one drains IT time, frustrates the person locked out and creates its own risk when the reset link travels over an email account that may already be compromised.
What Is a Passkey?
A passkey is a login credential that uses cryptography instead of a memorized secret.
When a passkey is created, the device generates two linked keys. The private key stays on the device and never leaves it. The public key is stored by the service. To log in, the service sends a cryptographic challenge. The device signs it using the private key and authentication is complete.
No password changes hands. Nothing is transmitted that can be stolen.
Passkeys are built on FIDO2/WebAuthn which are open standards developed by the FIDO Alliance, a cross-industry consortium, and the World Wide Web Consortium (W3C).
Because the private key is mathematically bound to the exact website it was registered with, a fake login page cannot use it. The phishing attempt simply fails at the technical level.
What Passkeys Actually Change
The security argument stands on its own. However, passkeys also reduce friction in ways that show up in day-to-day operations.
Organizations report up to 81% fewer sign-in-related help desk calls after deploying passkeys.
The FIDO Alliance's Passkey Index tracks real-world deployment data from Amazon, Google, Microsoft, PayPal and others. Passkeys achieve a 93% login success rate compared to 63% for traditional methods.
For staff, the experience is noticeably more simple. Where MFA (multi-factor authentication) requires a password and a one-time code, a passkey replaces both with a single biometric prompt. If you have ever weighed the different MFA options available and found them all add a layer of friction, passkeys are where that trade-off resolves.
Microsoft reports passkeys are three times faster than traditional passwords and eight times faster than password plus MFA. That is not just convenience. It is operational time recovered across every login every single day for every person on your team.
Your Step-by-Step Passkey Migration Plan
Migrating to passkeys doesn't mean flipping a switch. A phased rollout keeps work moving while steadily reducing your dependence on passwords.
1. Audit your current logins.
Start by listing every system your staff authenticates into: email, line-of-business apps, cloud storage, accounting tools, remote access. Note which platforms already support passkeys. Most major ones do including Microsoft 365, Google Workspace and the majority of common SaaS tools.
If a platform doesn't support passkeys yet, note it separately. That is not a blocker for getting started. It just means those accounts stay password-protected for now.
2. Prioritize your highest-risk accounts.
Start with the accounts attackers target first: admin logins, finance tools, anything holding sensitive client data or giving broad system access. These benefit most from phishing-resistant credentials and migrating them first moves the security needle fastest.
3. Choose your authentication method.
Most staff can use devices they already own. Windows Hello, Apple Face ID and Touch ID and Android biometrics all support passkeys natively. For shared workstations or roles that require higher assurance, hardware security keys are the more controlled option.
4. Roll out in phases instead of all at once.
Enroll a pilot group first. IT staff or a handful of technically comfortable team members are the best choice. Work through any friction, refine the enrollment steps and document what you learn. Then expand to the wider organization in manageable waves.
Keep passwords available as a fallback during the transition. The goal is a gradual shift rather than a hard cutover that leaves anyone stuck.
5. Plan account recovery before you need it.
The most common concern about passkeys is what happens when an employee loses or breaks their device. The answer is to sort this out before rollout instead of after.
Synced passkeys backed up through Microsoft, Google or Apple accounts can be restored on a new device using the employee's existing account access. For hardware key setups, a documented recovery process and a backup key for the most critical roles are both worth the effort to set up now.
Time to Move Your Team Off Passwords
Passwords will remain part of the landscape for a while. However, every account you migrate to a passkey removes a target.
A passkey migration doesn't need to be a major project. It needs a clear account inventory, a sensible rollout sequence and a recovery plan that is documented and tested before anyone relies on it.
Contact Sound Computers to schedule a consultation. We can help you map which accounts to prioritize, guide your team through enrollment and make sure recovery is covered before you go live. Call us at (860) 577-8060, reach us online or email info@soundcomputers.net.
Article FAQs
What is a passkey?
A passkey is a login credential based on cryptographic key pairs rather than a memorized password. The private key stays on your device and is unlocked by a fingerprint, face scan or PIN. The public key is stored by the service. Nothing is transmitted that can be phished or stolen in a data breach.
Are passkeys more secure than passwords?
Yes. Passkeys are bound to the specific website they were created for so they cannot be used on fake login pages. There is no shared secret to steal. They eliminate the main attack categories that compromise password-based accounts: phishing, credential stuffing and password reuse.
Do passkeys work for small businesses?
Yes. Passkeys are built into Windows, macOS, iOS and Android and are supported by Microsoft 365, Google Workspace and most widely used business applications. A small business can migrate in phases using the devices its staff already own without specialist hardware.
A password manager keeps our online accounts safe. They store all our passwords in one place. But are they hackable?
What are Password Managers?
Password managers are like digital vaults. They save all of your passwords inside themselves. You need only remember one master password. This makes keeping a lot of accounts much easier to handle.
How Do They Work?
You make one main password. The manager scrambles your passwords. What this means is that it changes them into an unreadable format without a key.
Why Use Them?
People use password managers out of convenience and security. One single factor is the difficulty in remembering several strong passwords. A password manager allows you to generate and securely store all of these.
Can Password Managers be Hacked?
They always hunt for ways to steal your information. However, breaking into a password manager is not easy.
Security Measures
Password managers use very strong encryption. This makes them barely readable by hackers. They are also using two-factor authentication (2FA). The addition of this adds a layer of security.
No system is perfect. If a hacker gets your master password, they can access your vault. A few managers have had security issues in the past but these are rare.
How Can You Protect Your Password Manager?
You can take steps to keep your password manager safe.
Choose a Strong Master Password
Make your master password long and unique. Use a mix of letters, numbers and symbols.
Enable Two-Factor Authentication
2FA adds a layer of security. Even if someone knows your password, they need another code to log in.
Keep Software Up-to-Date
Always update your password manager. Updates fix security issues and keep your data safe.
What Happens If a Password Manager Gets Hacked?
If password managers get hacked, it can be serious. Hackers could access all your passwords.
Immediate Actions
Change your master password immediately. Decide which accounts could be affected and change their passwords as well.
Long-Term Solutions
Consider shifting to another password manager if it has been compromised anytime earlier. Keep up to date with any security news about your manager.
Is the Use of Password Managers Worth the Risks?
Despite the risks, many people still use password managers. They make managing passwords much easier. It is also safer than trying to remember them all yourself.
Benefits Outweigh Risks
The benefits of using password managers usually outweigh the risks. They help you create strong and unique passwords for each account.
Trustworthy Options
Choose a reputable password manager with good reviews and security features. Do some research before deciding which one to use.
Take Control of Your Online Security Today!
Using password managers will go a long way in enhancing your online security. Remember to choose a strong master password. You should also use two-factor authentication and keep your software updated.
If you have any questions or need help in the selection of a password manager, contact us today!
Passwords unlock our digital lives. We use them for email, bank accounts and more. Remembering all these passwords is hard. Password managers help us keep our accounts safe and make our lives easier.
What is a Password Manager?
A password manager keeps all your passwords in one place. Think of it as a digital safe for your login information.
You only need to remember one master password. This master password lets you access all your other passwords.
Type of Password Managers
Password managers come in different forms:
- Apps you download on your phone or computer
- Tools that work in your web browser
- A mixture of both options
Password managers encrypt your information strongly. When you save a password, the manager scrambles it. This makes the password unreadable to anyone who tries to steal it.
Why Use a Password Manager?
It Helps You Create Strong Passwords
Most people use weak passwords because they can remember them. However, weak passwords are easy for bad guys to guess. Password managers generate long and random passwords that are hard to crack.
It Remembers Your Passwords
With a password manager, you don’t need to memorize many passwords. The tool does this for you. You can use a unique and strong password for each account without forgetting them.
It Keeps Your Passwords Safe
Password managers use high-level security to protect your data. They encrypt your passwords. Even if someone hacks the password manager company, they can’t read your information.
Features of a Password Manager
Password Generation
Good password managers can create tough and unique passwords for you. They mix letters, numbers and symbols to make passwords hard to guess.
Auto-Fill
Many password managers can fill in your login information on websites. This saves time and avoids typos.
Secure Notes
Some password managers let you store other sensitive information too. This can include credit card numbers or important documents.
Password Sharing
Some tools let you share passwords safely with family or coworkers. This helps with joint accounts or team projects.
Are Password Managers Safe?
Password managers are very secure when used correctly. They encrypt your data strongly. This means your password gets scrambled. It is almost impossible for hackers to unscramble it without the right key.
Nothing is perfect. Choose a password manager with a good reputation and regular security checks.
How to Choose a Password Manager
Look for these things when picking a password manager:
Security Features
Find one with strong encryption and two-factor authentication. These features keep your information extra secure.
Ease of Use
The best password manager is one you will use. Find one that is easy for you to understand and use.
Device Compatibility
Make sure the password manager works on all your devices. This includes your phone, tablet and computer.
Price
Some password managers are free and others cost money. Paid ones often offer more features. Research what you want and what you can afford.
Tips for Using a Password Manager Safely
- Create a strong master password.
- Use two-factor authentication.
- Never share your master password.
- Update your password manager regularly.
- Be careful when using password managers on other people’s computers.
- Always log out when you are done.
What If You Forget Your Master Password?
Forgetting your master password is a big problem. Most password managers don’t store your master password anywhere for security reasons. Some managers offer account recovery options like security questions or a recovery key. Know what to do if you forget your master password.
Can Password Mangers Be Hacked?
No system is 100% secure. Password managers can be hacked but it rarely happens. Good password managers have emergency systems to protect your data if they are hacked.
The biggest risks often come from user mistakes. Weak master passwords or falling for phishing attacks can put your passwords at risk. Follow good security practices to stay safe.
How Does a Password Manager Compare to Browser Password Saving?
Browsers often offer to save your passwords. This is convenient but less secure than a dedicated password manager. Here’s why:
- Browsers don’t always encrypt saved passwords as strongly
- They don’t offer as many features
- They don’t work across all your devices and browsers
- They’re more vulnerable if someone gets your computer
Is a Free Password Manager Enough?
Free password managers can be a good start. They offer basic features to improve your online security. Paid versions often have more features:
- Sync across more devices
- More storage for passwords and other data
- Extra features like secure file storage
- Better customer support
What About a Built-in Phone Password Manager?
Most smartphones have a built-in password manager. This might be good enough for some users. It is convenient and works well with your phone. There are some limits:
- They might not work well on different types of devices.
- They have fewer features than standalone password managers.
- They might not be as secure as specialized tools.
Built-in tools can work for basic password management. For more advanced needs, a standalone password manager is better.
How Do Password Managers Handle Data Breaches?
A good password manager offers features to help with data breaches:
- Warnings if a site you use is compromised
- Tools to check if your passwords have leaked online
- Easy ways to change many passwords quickly
These features help you act fast if your data is in danger.
Do Password Managers Work Offline?
Many password managers can work offline. They keep an encrypted copy of your passwords on your device. This lets you view them without an internet connection. However, some features might not work offline. For example, you can’t sync new passwords across devices until you go online.
How Often Should You Change Your Passwords?
Experts used to say you should change passwords often. Many now say that strong and unique passwords are enough. You only need to change them when necessary.
A password manager make this easier. It helps you create strong passwords and keep track of when you last changed them.What is the Future of Password Managers?
Password managers keep improving. Some new trends include:
- Login options without passwords
- Better integration with other security tools
- More use of fingerprints or facial recognition
- Advanced password sharing without showing the actual passwords
As online threats change, password managers will keep evolving to keep us safe.
Secure Your Digital Life Today
Password managers are powerful tools for online security. They make it easy to use strong and unique passwords for all your accounts. This greatly reduces your risk of a cyber attack.
Consider using a password manager today to improve your online security. If you need help choosing or setting up a password manager, ask for help. We are here to make your digital life safer.
Passwords are an essential and foundational aspect of business cybersecurity. These hashed phrases of letters and numbers are vital to securing company data. If they fall into the wrong hands, they can put your business at risk of data protection and compliance failures. This is why a password manager is a good idea.Read more