+1 (561) 556-2000

Managed IT Services Boca Raton logo
CONTACT US

Adversary‑in‑the‑Middle (AiTM) Attacks: How To Stop Them

Cybercriminals are rapidly evolving, and one of the most dangerous techniques on the rise is the Adversary‑in‑the‑Middle (AiTM) attack. These attacks bypass traditional security methods—including MFA—and allow attackers to hijack accounts, impersonate executives, and initiate fraudulent activity.

For modern businesses relying heavily on cloud services like Microsoft 365, Google Workspace, and financial SaaS platforms, AiTM attacks represent a serious, growing threat.

This article breaks down how AiTM attacks work, why they’re so effective, what Microsoft 365 settings can help mitigate them, and how a layered defense strategy, specifically Huntress and ThreatLocker, protects organizations from being compromised.

What Is an AiTM phishing attacks Attack?

An Adversary‑in‑the‑Middle attack is a specialized phishing method where the attacker inserts a real‑time proxy between the user and a legitimate login page.

This proxy captures:

  • Credentials
  • MFA codes
  • Session cookies (the objective)

Even if the victim completes MFA successfully, the attacker can steal the authenticated session token and log in without a password or MFA.

How AiTM Attacks Work:

1: Phishing Email

An AiTM attack typically starts with a convincing email, such as a Microsoft sign‑in prompt, DocuSign request, invoice notification, or shared file link.

2: Proxy-Based Fake Login

After receiving this email, the victim clicks on the link, which directs them to a replica of a Microsoft 365 login page. However, this page is actually an attacker-controlled proxy.

3: Real-Time MFA Relay

The user enters their password and MFA code, which the proxy forwards to the real login page.

To the victim, nothing seems suspicious.

4: Session Cookie Theft

During authentication, the attacker intercepts the session cookies, giving them full access without triggering another MFA prompt.

5: Persistent Access

The attacker logs into the real Microsoft 365 tenant using the stolen cookie. They now appear as the legitimate user, even from the same device fingerprint.

Why AiTM Attacks Are So Dangerous

Once attackers gain a session token, they can:

  • Hijack accounts to launch wire fraud
  • Exfiltrate email, SharePoint, OneDrive, and Teams data
  • Create forwarding rules to spy quietly
  • Grant malicious OAuth apps for persistence
  • Move laterally into other systems
  • Trigger compliance or reporting violations

Detection is challenging because everything appears to be normal user behavior.

Microsoft 365 Settings & Policies That Help Mitigate AI TM Attacks

While no single control entirely stops AiTM, Microsoft 365 has several powerful features that drastically reduce the attack surface and limit token replay.

1. Enforce Phish‑Resistant Multi-Factor Authentication (MFA)

Popular MFAs that use SMS messaging or voice to verify ownership of an account are still vulnerable to hackers. Instead of using these insecure options, use secure ones such as Microsoft Authenticator.

  • What you should enable:
    • Microsoft Authenticator with number matching
    • FIDO2 security keys
    • Passkeys
  • What you should disable
    • SMS and voice MFA
    • Block legacy authentication

2. Conditional Access Token Protection

Conditional Access Token Protection is currently one of the strongest defenses.

Conditional access token protection binds stolen cookies to a user’s device and client. This makes them useless to attackers who cannot reuse them for a token off device.

Our recommendation:

  • Require token protection for admins
  • Require token protection for high‑risk users
  • Pair token protection with compliant device enforcement

3. Conditional Access: Require Compliant or Entra ID Joined Devices

If an attacker is able to receive a stolen token, but the stolen token cannot satisfy the “compliant device” claim, the attacker will be unable to access the device and will be locked out.

Policies that enforce compliant devices include:

  • Require a compliant device
  • Require Hybrid Join or Entra ID Join
  • Block unmanaged devices from accessing M365

4. Block Legacy Authentication Completely

If you use legacy authentication, you cannot enforce MFA or token protection.

To ensure your company stays protected, disable:

  • IMAP / POP
  • SMTP Auth
  • Legacy Exchange Online protocols

5. Harden Network & Session Controls

You can harden network and session controls by:

  • Blocking risky countries
  • Blocking unfamiliar IP address ranges
  • Setting strict “Sign-in frequency” rules
  • Disallow “persistent browser sessions.”
  • Lower session lifetime for administrators

6. Continuous Access Evaluation (CAE)

CAE can help keep your company protected by instantly revoking tokens when:

  • Password is changed
  • Account is disabled
  • Risk score increases

This kills attacker sessions in real-time.

7. Strong OAuth / App Consent Governance

Attackers frequently escalate through malicious OAuth grants.

Recommended:

  • Block user consent to apps
  • Enable admin consent workflow
  • Enable consent phishing protection
  • Audit OAuth permissions monthly

8. Microsoft Defender for Office 365 Anti-Phishing

Enable:

  • Domain impersonation protection
  • User impersonation protection
  • Mailbox intelligence
  • Safe Links
  • Safe Attachments

This helps reduce the initial AiTM phishing success rate.

How Huntress Helps Stop AiTM

Huntress provides detection and remediation once an account is compromised, even when MFA is bypassed.

Behavior-based detection:

  • Impossible travel
  • anomalous logins
  • suspicious OAuth grants
  • inbox forwarding rules
  • mass file operations

Human-led threat hunting:

Huntress Human-Led Threat Hunting combines automated endpoint monitoring with real security analysts who investigate suspicious activity to identify real threats and reduce false positives.

Automated remediation:

  • Disable compromised accounts
  • Kill active sessions
  • Remove malicious inbox rules
  • Revoke OAuth tokens

This dramatically limits dwell time and damage.

How ThreatLocker Helps Stop AiTM

ThreatLocker prevents attackers from exploiting a Microsoft 365 account compromise to gain full system access.

Ringfencing™

Restricts what apps can do or talk to — blocking malicious scripts, remote shells, or command-and-control communication.

Zero-Trust Application Control

Zero-Trust Application Control only allows approved apps to run on endpoints, preventing malware execution even if it is sent through a hijacked account.

Storage Control

Prevents unauthorized data access or exfiltration.

Blocks Lateral Movement

Even with a stolen cloud session, the attacker cannot expand deeper into the environment.

Why Microsoft 365 + Huntress + ThreatLocker Is the Best Defense

AiTM requires layered protection:

  • Attack PhaseMicrosoft 365HuntressThreatLocker
  • Phishing Email Defender ATP Behavior detection Blocks payloads
  • MFA Bypass Token Protection Detection N/A
  • Session Hijack CAE, sign-in policies, Human review, Stops scripts/pivots
  • Persistence, OAuth controls, Auto-remediation, Blocks tools
  • Lateral Movement Device policies Detection Prevented
  • Ransomware N/A N/A Blocked
  • Together, they stop AiTM at every meaningful stage.

How Byte Solutions Helps Your Business Stop AiTM Attacks

Byte Solutions is a 24×7×365 South Florida IT management service provider with a national presence, delivering boutique, outcomes‑driven cybersecurity and Microsoft 365 expertise. Our helpdesk provides a consistent team that knows your people and systems, backed by an extensive SOC/NOC capability and industry certifications — so you receive a rapid, coordinated response when it matters.

What Bytesolutions Delivers

1. Hardening & Governance (Microsoft 365 AiTM)

  • Conditional Access token protection design and rollout.
  • Phish‑resistant MFA such as Microsoft Authenticator, number‑matching, and FIDO2/Passkeys.
  • “Compliant/Managed device required” access policies and legacy authentication blocking.
  • Consent‑phishing protection and monthly app reviews.
  • Continuous Access Evaluation (CAE) enablement and session‑lifetime controls.
  • Convert guidance into tenant-ready policies and document the decisions for audit purposes.

2. Detection & Response (Huntress + Microsoft 365)

  • Byte Solutions provides behavioral detection for impossible travel, inbox rule abuse, mass file access, and abnormal OAuth grants.
  • Human‑led threat hunting to reduce false positives.
  • Automated remediation, such as kill sessions, disable accounts, remove rules, and revoke tokens.
  • Fast, validated action when sessions are hijacked.

3. Endpoint Containment (ThreatLocker)

  • Ringfencing™ to restrict what apps can execute or communicate.
  • Zero‑Trust application control to block unapproved tools and malware
  • Storage control to prevent unauthorized data access and exfiltration
  • This prevents attackers from exploiting a cloud account compromise to facilitate lateral movement or ransomware.

4. Awareness & Prevention

  • Byte Solutions provides executive and domain impersonation protections through Defender for Office 365.
  • Safe Links / Safe Attachments, curated allow/deny processes, and quarantine review workflows
  • We run targeted phishing simulations, just‑in‑time micro‑trainers, and leadership briefings to keep your employees up to date on how to avoid phishing scams and help keep your company safe.
  • Our team handles the operational hygiene of your business systems, including monitoring, updates, backups, and recovery, which supports sustainable security.

5. Evidence & Compliance

  • Byte Solutions offers policy mapping that complies with CIS and Essential Eight standards. This policy mapping includes documented change logs, consent records, and clear timelines for remediation.
  • Byte Solutions also provides executive-level reporting that shows you what reducing the risk of exposure, faster threat containment, and measurable incident records would do for your company.
  • We also provide support for industry-recognized frameworks used by small to mid-size businesses in the healthcare, financial, and legal sectors, located in South Florida and beyond.

Why Choose Byte Solutions

  • Boutique, choose‑only‑what‑you‑need approach. You are never forced into unnecessary bundles.
  • Byte Solutions offers proactive monitoring and rapid response from certified engineers, as well as a virtual CIO.
  • We provide a business continuity mindset, including backup and recovery, colocation options, and physical and cyber security controls.
  • Byte Solutions has both local and national reach, with a mature operational backbone and a customer-first culture. 

Get Started with Byte Solutions

  • Schedule a Microsoft 365 AiTM Readiness Assessment.
  • Request an implementation plan for Conditional Access, token protection, OAuth governance, and endpoint containment.
  • Book a security strategy session with our engineering pod.

Contact Byte Solutions Now:

  • Website: bytesolutions.com
  • Phone: (561) 556‑2000
  • Email: info@bytesolutions.com
  • Office: 20283 State Road 7, Suite 501, Boca Raton, FL 33498

Final Thoughts

AiTM attacks bypass traditional defenses and continue to rise across Microsoft 365 tenants. However, with the correct Microsoft 365 security controls, combined with Huntress for detection and ThreatLocker for containment, organizations can significantly reduce their exposure.

Don’t wait until a vulnerability becomes a breach. Contact us at Byte Solutions to schedule a network security assessment today.

Leave a Comment

Require assistance?

Support from our knowledgeable help desk staff ensures your team stays productive by swiftly and accurately resolving issues.

Book A Consultation