What is an Adversary-In-The-Middle (AiTM) Phishing Attack?

Javed Shah

Modern hacks are getting more and more sophisticated, and this reality includes the rise of advanced phishing attacks.

Why are adversary-in-the-middle attacks dangerous? They are phishing attacks that can bypass MFA security to steal user credentials and system access.

What Is an Adversary-in-The-Middle Attack?

An Adversary-in-The-Middle (AiTM) attack is a sophisticated form of hacking that allows fraudsters to inject themselves into network communications to steal credentials, forge or copy encryption and identity verification keys, and launch further attacks to steal data or money.

The entire structure of a functional AiTM attack is comprised of a few key components, common hacks that are combined into a more extensive process:


Like many hacks, AiTM starts with phishing. Common phishing attacks typically involve the sender attempting to gain credentials from the receiver so the hacker can use them to attack the system.

In AiTM attacks, however, the phishing email will falsely look like they originate from a legitimate organization, up to and including the organization the recipient works for. Within the email will be linked (often embedded into HTML elements like buttons) that will connect to a proxy website.

The text of the email will typically contain some warning or emergency message claiming that there was an accounting error or that the IT department needs to verify credentials–namely, anything that might get the recipient to click one of the links.

Man-in-The-Middle Attacks (MiTM)

Once the user clicks on the link, they are directed to one or more redirector pages and, finally, to the AiTM phishing website.

At this point, the attack branches from strict phishing strategies into MiTM tactics.

These attacks are so insidious that the user is not directed to a false page where they are asked to enter credentials. Instead, they are routed to a proxy server inserted in the middle of the transaction.

At this point, the hacker not only gets login credentials from the users. They get session information as well.

Transport Layer Security

When we connect to almost every website on the Internet, there’s some security in place. We’ve all learned how to check that a site uses HTTPS security to ensure that web traffic between you and that server is encrypted–this is the backbone of modern online browsing and commerce.

What’s important to note is that such security works through Transport Layer Security (TLS), one of the primary encryption standards for in-transit data obfuscation. TLS uses certificates where an organization provides information to a certificate authority (CA) that issues a certificate that functions as a public key. This certificate facilitates a public key encryption schema that hides data as it is transmitted between parties while assuring consumers that the website is legitimate.

As part of that process, TLS generates a cookie on the user’s side that serves as a session token for that particular visit. So, when you log into a site using TLS, a cookie will be generated to move through secured pages without continually having to authenticate yourself.

AiTM attacks place themselves in the middle of this process. Once a user responds to a phishing email and logs into a phishing site, the attacker not only takes those credentials but also generates and copies these session cookies. At this point, they can use the credentials and the cookies to communicate with the original organization’s servers and services as that user.

Breaking This Process Down

That was a bit complex, so let’s simplify:

  1. The hacker sends a phishing email to the user for a site they most likely use, like a business account or bank.
  2. The user clicks on a link in the email and is routed to a phishing server posing as the organization in the email.
  3. This server accepts user credentials and creates a TLS session cookie based on the user’s browser and identity.
  4. The hacker uses those credentials to log in to the secure site.

The implications of this kind of attack are significant. Most importantly, with the information gathered from the MiTM server, hackers can bypass several types of multi-factor authentication and assurance mechanisms.

This kind of attack can be used to integrate the attacker into critical enterprise systems like business email or cloud environments, which means more attacks and more sophisticated Business Email Compromise (BEC) scams.

How Can I Prevent Adversary-in-The-Middle Attacks?

This complex and effective hacking form can seem like an impossible challenge. If a hacker can bypass MFA, what else can be done to stop them?

The solution lies in more comprehensive and integrated authentication security coordinated across multiple attack vectors. These security measures should include, at a minimum:

  • Strong Anti-Phishing Policies: Any solid authentication security starts by educating individuals about the dangers they face. And it’s sad to say that there is a reason that phishing is one of the most popular and effective ways to attack these systems. It’s non-negotiable to train your employees on phishing strategies, including how to identify phishing emails and avoid them.                                                                       
    Additionally, implement email and messaging controls to warn against phishing. For example, it’s relatively simple to deploy in-message warning banners for any email from outside your domain.
  • System Monitoring and Auto-Access Revocation: Prevention involves monitoring systems for potential breaches. Modern security tools like CISO dashboards, logging utilities, and Security and Information and Event Management (SIEM) suites make monitoring strange behavior feasible.                                       
    Alongside monitoring, you should have a trip switch that you can use to revoke access rights for any account at any time. If any account is compromised, you must have the power to turn off that account, or any number of accounts, within minutes.
  • Utilize FIDO 2.0 Authentication: FIDO 2.0 includes several new features for authentication that can mitigate anti-MFA attacks like AiTM. For example, FIDO uses WebAuthn to implement methods to ensure a website is who they claim to be, which can stop website phishing attacks dead in their tracks.
  • Utilize Conditional Access Policies: More advanced access policies can be implemented in the network’s configuration, including who and what a user can access with their machine. Setting conditional policies against connecting to sites that don’t meet client standards or don’t fall into a specific list of domains can cut off AiTM phishing attacks.

Bolster Security Against Adversary-in-The-Middle Attacks with 1Kosmos

With attacks like these, it can seem impossible to cover every hole and gap effectively. But this isn’t the case. You can cover your bases against phishing, man-in-the-middle, and BEC attacks with the right technologies and policies.

1Kosmos BlockID is the foundation of that solution. 1Kosmos BlockID is a passwordless authentication solution that works with FIDO version 2.0 and complies with NIST Identity Assurance Level (IAL2) requirements. All this is on top of secure, passwordless authentication built on private blockchain technology that supports easy onboarding for employees.

With 1Kosmos, you get the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.

Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Discover how your business can strengthen its anti-phishing and identity security systems with 1Kosmos BlockID Workforce. Also, sign up for our newsletter for updates on products and services.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.