Basim Ibrahim
Cybersecurity Lead
Adversary-in-the-middle phishing, commonly called AiTM phishing, has quietly moved from being a niche attack method to a mainstream threat. Over the last few months, multiple disclosures from Microsoft and other security vendors have shown a clear pattern. Attackers are no longer trying to break into systems by force. They are walking in through the front door, using trusted Microsoft services, familiar login pages, and legitimate user sessions.
This is not a theoretical risk. On January 21, 2026, the Microsoft Defender Security Research Team issued a major warning about a multi-stage AiTM and Business Email Compromise campaign targeting organisations in the energy sector. The campaign clearly showed how attackers are abusing Microsoft SharePoint, Microsoft Entra ID, and standard authentication flows to compromise accounts at scale. These attacks bypass traditional security controls, including multi-factor authentication, and then expand into full BEC operations.
What makes AiTM phishing especially dangerous is not just the initial credential theft. It is how attackers maintain access, hide their activity, and reuse compromised identities to move deeper across organisations. Many teams still believe that resetting a password closes the incident. In the AiTM world, that assumption no longer holds.
Understanding AiTM phishing in simple terms
AiTM phishing sits somewhere between traditional phishing and full account takeover. In a classic phishing attack, a user enters their username and password into a fake website. In most modern Microsoft environments, this is no longer enough, because MFA blocks the login.
AiTM phishing changes the model by placing the attacker directly in the middle of a real authentication session. The victim clicks a link, usually pointing to a trusted-looking Microsoft SharePoint or OneDrive page. The login prompt appears legitimate because it often is legitimate. The attacker relays the authentication flow in real time. When the user completes MFA, the attacker captures the session cookie.
That session cookie is the real target. With it, the attacker can sign in as the user without needing the password or MFA again. From Microsoft’s point of view, the session looks valid. This is how MFA is bypassed without actually being broken.
Why Microsoft environments are being targeted
Microsoft 365, SharePoint, OneDrive, and Entra ID are deeply embedded in enterprise operations. Employees share files, approve documents, and collaborate daily using these platforms. Familiarity builds trust, and attackers take full advantage of it. In fact, Microsoft consistently ranks among the top impersonated brands, making its users prime targets for phishing and other social engineering attacks.
Microsoft’s recent advisory highlights attackers abusing SharePoint document-sharing workflows. Emails arrive from trusted vendors or internal contacts with subject lines such as “NEW PROPOSAL – NDA.” The link points to SharePoint, and because it originates from a legitimate address, there are no obvious warning signs.
This approach is commonly described as Living-off-Trusted-Sites. Instead of building malicious infrastructure, attackers weaponise legitimate Microsoft services. This helps them bypass email security tools and lowers user suspicion. In the energy sector campaign, Microsoft noted that the initial emails often came from already compromised accounts belonging to trusted organisations, allowing attackers to pivot into multiple environments with ease.
A real-world attack chain
To understand why these attacks are effective, it helps to look at how a typical AiTM campaign unfolds.
The first stage is initial access. A phishing email is sent from a legitimate, compromised mailbox. The message mimics a SharePoint document-sharing notification and includes a SharePoint URL that requires authentication.
In the second stage, the victim clicks the link and is redirected to a credential prompt. The page looks normal. The user enters their Microsoft credentials and completes MFA. At this point, the attacker captures the session cookie. The victim may even be redirected to a harmless page, leaving them unaware that anything went wrong.
Next comes persistence. Microsoft’s investigation found that attackers quickly create inbox rules to delete all incoming emails and mark messages as read. This prevents victims from seeing security alerts, password reset emails, or replies from colleagues.
The campaign then escalates into business email compromise. In one case cited by Microsoft, the attacker sent more than 600 phishing emails to contacts both inside and outside the organisation. The attacker actively monitored the inbox, replied to recipients who questioned the email’s authenticity, and then deleted those conversations to remove evidence.
Why password resets are failing
One of the most important takeaways from Microsoft’s findings is that traditional remediation steps are no longer sufficient.
In an AiTM attack, resetting the password does not invalidate an active session cookie. Microsoft also observed attackers modifying MFA settings after gaining access, such as adding new authentication methods tied to devices they control. This means that even after a password reset, attackers can regain access without triggering suspicion.
Effective remediation must include revoking all active sessions, reviewing and removing malicious inbox rules, and auditing MFA settings to ensure no unauthorised changes were made.
MFA is still necessary, but not sufficient
There is a growing and dangerous misconception that the rise of AiTM phishing makes MFA ineffective. That conclusion is incorrect. MFA remains the single most effective barrier against bulk, automated credential stuffing and basic phishing attacks. In fact, the very existence of AiTM techniques is proof that MFA is working: it has forced attackers to move away from simple password theft and invest in expensive, real-time proxy infrastructure to stand a chance of gaining access.
However, the industry must now acknowledge that not all MFA methods offer the same level of protection. Traditional methods like SMS codes, voice calls, and even standard “App Push” notifications are now considered legacy defenses against targeted AiTM campaigns. Because these methods rely on a user manually entering a code or hitting “Approve” on a page they believe is legitimate, they are easily relayed by an attacker’s proxy server in real-time.
To counter this, Microsoft and other security leaders are urging organizations to transition toward Phishing-Resistant MFA. This includes technologies such as FIDO2 security keys, passkeys, and certificate-based authentication. These methods are immune to AiTM attacks because they create a unique cryptographic bond between the user’s physical device and the specific, legitimate domain (such as login.microsoftonline.com). If an attacker attempts to sit in the middle using a proxy domain, the cryptographic handshake will fail automatically without requiring any judgment from the user.
Also Read: Strengthening Microsoft 365 Email Security in High-Risk UAE Sectors
The role of Conditional Access and continuous evaluation
Microsoft Entra Conditional Access has moved beyond a simple “if/then” check at login. It now continuously evaluates risk in real time, analyzing signals such as device compliance through Intune, IP reputation for suspicious or known proxy addresses, and User Risk scores based on anomalous behavior.
The key improvement against session hijacking is Continuous Access Evaluation or CAE. In traditional setups, a stolen session cookie could be reused until it expired, even after a password reset. CAE closes that gap by letting Microsoft 365 services like Exchange, SharePoint, and Teams revalidate access almost immediately.
If a critical event occurs, such as a sudden login from a new country called Impossible Travel or an admin revoking a session, CAE ensures the session token is invalidated within minutes. This directly addresses the tactics seen in recent AiTM campaigns where attackers rely on silent access to manipulate inbox rules and launch internal phishing attacks. By combining risk-based policies with CAE, organizations can end a hijacked session as soon as an anomaly is detected.
What organisations should change now
The recent wave of AiTM campaigns should be treated as a clear warning. Identity has become the primary attack surface.
Organisations should prioritise phishing-resistant MFA for high-risk users and privileged accounts. Conditional Access policies must be reviewed and tightened. Session revocation should be a standard step in every identity incident response process.
As Microsoft highlighted in its January 2026 advisory, mailbox monitoring, inbox rule audits, and rapid response workflows are no longer optional. Security teams must assume that some users will click on convincing phishing links and design controls with that reality in mind.
AiTM phishing is not succeeding because Microsoft platforms are weak. It is succeeding because attackers understand cloud identity systems deeply and exploit the gaps between authentication, session handling, and response processes.
Microsoft continues to improve detections, abuse prevention, and identity protections. That progress matters. But technology alone is not enough. Configuration discipline, continuous monitoring, and decisive response actions matter just as much.
For organisations that still treat identity compromise as a simple password reset issue, the risk will only increase. AiTM phishing is not an emerging threat. It is already reshaping how attackers compromise Microsoft environments. The real question is whether defenders are prepared to adapt at the same speed.
At iConnect, we offer comprehensive phishing protection services tailored for the UAE’s high-risk sectors. By combining AI-driven threat detection with automated security validation, we help identify vulnerabilities in your Microsoft 365 environment before attackers do. From deploying advanced email gateways to running targeted phishing simulations, we ensure your team acts as a proactive line of defence rather than a point of entry.
