AiTM / Phishing Kit Attack Chain

How adversary-in-the-middle phishing kits bypass MFA by stealing session tokens, not credentials, regardless of kit vendor or delivery lure.

Last updated: 2026-04-14

The Chokepoint Convergence Principle

Every actor in the matrix below follows the same sequence of stages. They must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Each card represents a MITRE ATT&CK technique. Dots indicate which groups or families use it. Cards with an orange border are universal chokepoints used by every tracked actor. Click an actor below to filter.

Infrastructure Setup
Domains
T1583.001
Lure Delivery
Phishing
T1566
Spearphishing Attachment
T1566.001
Spearphishing Link
T1566.002
Spearphishing Link
T1598.003
Proxy Interception
Adversary-in-the-Middle
T1557
Token Harvest
Steal Application Access Token
T1528
Steal Web Session Cookie
T1539
Account Takeover
Valid Accounts
T1078
Cloud Accounts
T1078.004
Defense Evasion
Obfuscated Files or Information
T1027
Exfiltration
Exfiltration Over C2 Channel
T1041

Chokepoint Opportunities by Stage

Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.

1 Lure Delivery
Chokepoint

Victim clicks a link or opens an attachment that initiates an authentication flow to an attacker-controlled endpoint

Detection Signals
  • Link to newly registered domain (<30 days) delivered via email or Teams message
  • Redirect chain ending at a lookalike Microsoft / Google login page
  • Device code authentication request from unexpected IP or user-agent
  • Browser navigating to domain mimicking login.microsoftonline.com or accounts.google.com
ClickFix Techniques
2 Proxy Interception
Chokepoint

Active session passes through adversary-controlled infrastructure OR device code is presented to victim

Detection Signals
  • MFA prompt satisfied from IP that issued no prior authentication request to IdP
  • Authentication token issued to a domain that is not a registered app redirect URI
  • TLS certificate on login page issued to non-Microsoft/Google CA for IdP lookalike domain
  • Concurrent authentication sessions for same account from two geographically distinct IPs
3 Token Harvest
Chokepoint

Session token or OAuth access/refresh token extracted before or after MFA completion

Detection Signals
  • Session cookie replayed from IP different from original authentication IP
  • OAuth refresh token exchange from unfamiliar device fingerprint or user-agent
  • Access token issued for broad Microsoft Graph scopes (Mail.Read, Files.ReadWrite) to unrecognized app
  • Device code token grant without matching device registration in Entra ID
Browser Credential Theft
4 Account Takeover
Chokepoint

Token replayed from unfamiliar IP/device without triggering re-authentication challenge

Detection Signals
  • Impossible travel: session re-used from country different from prior authentication within minutes
  • Sign-in from new ASN or hosting provider with no prior user activity
  • CAE (Continuous Access Evaluation) token re-use after IP change without re-authentication
  • First-time access to sensitive mailbox folders (e.g., Sent Items, Inbox search) from session token
5 Persistence & Objectives
Chokepoint

Attacker holds an authenticated session with sufficient privilege to modify account configuration

Detection Signals
  • New OAuth application consent granted with Mail.Read or Files.ReadWrite permissions
  • Inbox rule created to forward or delete mail containing keywords (invoice, payment, wire)
  • New device registered to Entra ID from unfamiliar IP immediately after session token use
  • Admin role assigned to recently-created or newly-compromised account
  • Service principal credential added outside normal provisioning workflow

Actor Convergence Matrix 5 actors tracked

Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover, regardless of which actor you're facing.

Actor Lure Delivery Proxy Interception Token Harvest Account Takeover Persistence & Objectives
Tycoon 2FA
Active		 Mass-phishing email with O365 / M365 login lure link; targets org domains at scale JavaScript-heavy Cloudflare-fronted reverse proxy relays real Microsoft IdP Captures session cookie in real time; strips MFA token from relay stream Replays harvested cookie from attacker infrastructure; no re-auth required Inbox forwarding rules; OAuth app consent for persistent mail access
Evilginx
Active		 Targeted spearphishing link; operator configures phishlet per IdP target Open-source Go-based reverse proxy; intercepts full session including MFA Extracts session cookies and tokens from proxied responses via phishlets Exports cookie for direct browser import; used by operator in targeted campaigns Operator-driven post-access: OAuth consent, new credentials, lateral phishing
EvilProxy
Active		 Phishing-as-a-service platform; delivers links via email or Telegram bot Commercial reverse proxy service; supports Microsoft, Google, Apple IdPs Real-time cookie interception; dashboard shows captured tokens per campaign Automated token replay; BEC-focused buyer use cases Email hiding rules; exfiltration of financial email content for BEC fraud
Sneaky 2FA
Active		 Phishing kit with dark-themed Microsoft 365 lure pages; targets enterprise users Kit-based AiTM with partial relay approach. Less automated than EvilProxy. Session cookie capture from proxied Microsoft authentication flow Manual or semi-automated token replay; operator-controlled timing Inbox rules for BEC follow-on; selective data access for financial fraud
Device Code Flow
Active		 Email delivers device code with social engineering (IT helpdesk, Teams invite) No reverse proxy. Victim authenticates to real IdP. Device code polling captures the token. OAuth refresh token obtained via device authorization grant; long-lived access Refresh token used for persistent API-level access to M365 Graph endpoints Service principal or app registration with delegated permissions; sustained access
The Chokepoint Victim clicks a link or opens an attachment that initiates an authentication flow to an attacker-controlled endpoint Active session passes through adversary-controlled infrastructure OR device code is presented to victim Session token or OAuth access/refresh token extracted before or after MFA completion Token replayed from unfamiliar IP/device without triggering re-authentication challenge Attacker holds an authenticated session with sufficient privilege to modify account configuration

Research Methodology

Procedure-level data in this attack chain was extracted and corroborated using Kitsune, an AI-driven threat intelligence pipeline. 11 vendor and government reports were analyzed across 5 AiTM kit families, with cross-report corroboration used to validate convergence patterns. Reports were sourced from ORKL and direct vendor publications including Microsoft Threat Intelligence, Sekoia, Proofpoint, Volexity, ANY.RUN, Resecurity, and Silent Push. Only techniques observed in two or more kits appear in the TTP diagram above. Kit-specific procedures are recorded in the source data but filtered from the convergence view.

  • Infostealers - Harvested credentials are often used as AiTM lure pre-text
  • Ransomware - AiTM-compromised accounts are sold to ransomware initial access brokers