AiTM / Phishing Kit Attack Chain
AiTM kits bypass MFA by stealing session tokens - the same chokepoints regardless of kit or lure.
Same stages, different tools. Each stage is an unavoidable prerequisite - the underlying chokepoints don't change. Detect the prerequisite; catch any actor.
TTP Overlap Across Groups
Technique cards with actor dots. Orange border = used by all actors. Click actors to filter; a cyan glow marks techniques shared by every selected actor.
Chokepoint Opportunities by Stage
Invariant prerequisite per stage, top signals, and links to the full chokepoint analysis.
Victim clicks a link or opens an attachment that initiates an authentication flow to an attacker-controlled endpoint
- Link to newly registered domain (<30 days) delivered via email or Teams message
- Redirect chain ending at a lookalike Microsoft / Google login page
- Device code authentication request from unexpected IP or user-agent
- Browser navigating to domain mimicking login.microsoftonline.com or accounts.google.com
Active session passes through adversary-controlled infrastructure OR device code is presented to victim
- MFA prompt satisfied from IP that issued no prior authentication request to IdP
- Authentication token issued to a domain that is not a registered app redirect URI
- TLS certificate on login page issued to non-Microsoft/Google CA for IdP lookalike domain
- Concurrent authentication sessions for same account from two geographically distinct IPs
Session token or OAuth access/refresh token extracted before or after MFA completion
- Session cookie replayed from IP different from original authentication IP
- OAuth refresh token exchange from unfamiliar device fingerprint or user-agent
- Access token issued for broad Microsoft Graph scopes (Mail.Read, Files.ReadWrite) to unrecognized app
- Device code token grant without matching device registration in Entra ID
Token replayed from unfamiliar IP/device without triggering re-authentication challenge
- Impossible travel: session re-used from country different from prior authentication within minutes
- Sign-in from new ASN or hosting provider with no prior user activity
- CAE (Continuous Access Evaluation) token re-use after IP change without re-authentication
- First-time access to sensitive mailbox folders (e.g., Sent Items, Inbox search) from session token
Attacker holds an authenticated session with sufficient privilege to modify account configuration
- New OAuth application consent granted with Mail.Read or Files.ReadWrite permissions
- Inbox rule created to forward or delete mail containing keywords (invoice, payment, wire)
- New device registered to Entra ID from unfamiliar IP immediately after session token use
- Admin role assigned to recently-created or newly-compromised account
- Service principal credential added outside normal provisioning workflow
Actor Convergence Matrix 5 actors tracked
Different tools, different operators - same chokepoints. Bottom row: the invariant your detections must cover.
| Actor | Lure Delivery | Proxy Interception | Token Harvest | Account Takeover | Persistence & Objectives |
|---|---|---|---|---|---|
| Tycoon 2FA Active |
Mass-phishing email with O365 / M365 login lure link; targets org domains at scale | JavaScript-heavy Cloudflare-fronted reverse proxy relays real Microsoft IdP | Captures session cookie in real time; strips MFA token from relay stream | Replays harvested cookie from attacker infrastructure; no re-auth required | Inbox forwarding rules; OAuth app consent for persistent mail access |
| Evilginx Active |
Targeted spearphishing link; operator configures phishlet per IdP target | Open-source Go-based reverse proxy; intercepts full session including MFA | Extracts session cookies and tokens from proxied responses via phishlets | Exports cookie for direct browser import; used by operator in targeted campaigns | Operator-driven post-access: OAuth consent, new credentials, lateral phishing |
| EvilProxy Active |
Phishing-as-a-service platform; delivers links via email or Telegram bot | Commercial reverse proxy service; supports Microsoft, Google, Apple IdPs | Real-time cookie interception; dashboard shows captured tokens per campaign | Automated token replay; BEC-focused buyer use cases | Email hiding rules; exfiltration of financial email content for BEC fraud |
| Sneaky 2FA Active |
Phishing kit with dark-themed Microsoft 365 lure pages; targets enterprise users | Kit-based AiTM with partial relay approach. Less automated than EvilProxy. | Session cookie capture from proxied Microsoft authentication flow | Manual or semi-automated token replay; operator-controlled timing | Inbox rules for BEC follow-on; selective data access for financial fraud |
| Device Code Flow Active |
Email delivers device code with social engineering (IT helpdesk, Teams invite) | No reverse proxy. Victim authenticates to real IdP. Device code polling captures the token. | OAuth refresh token obtained via device authorization grant; long-lived access | Refresh token used for persistent API-level access to M365 Graph endpoints | Service principal or app registration with delegated permissions; sustained access |
| The Chokepoint | Victim clicks a link or opens an attachment that initiates an authentication flow to an attacker-controlled endpoint | Active session passes through adversary-controlled infrastructure OR device code is presented to victim | Session token or OAuth access/refresh token extracted before or after MFA completion | Token replayed from unfamiliar IP/device without triggering re-authentication challenge | Attacker holds an authenticated session with sufficient privilege to modify account configuration |
Analysis & References
Research Methodology
Source: Kitsune pipeline over ORKL + vendor reports - 11 reports / 5 AiTM kit families. Convergent techniques only.
Related Attack Chains
- Infostealers - Harvested credentials are often used as AiTM lure pre-text
- Ransomware - AiTM-compromised accounts are sold to ransomware initial access brokers