Why MFA Alone Is Not Enough to Stop Modern Phishing
Ikram Massabini
June 18, 2026
Most businesses understand why multi-factor authentication matters. A password by itself is too easy to steal, guess, reuse, or buy online.
But modern phishing has moved past simply collecting passwords.
Adversary-in-the-Middle attacks, often called AiTM attacks, target the login session itself. The user clicks a link, signs in, completes MFA, and thinks everything is fine. In the background, the attacker is capturing the authenticated session that gets created after login.
That is what makes these attacks dangerous. The attacker is not necessarily breaking MFA. They are waiting until MFA succeeds, then stealing the session token that proves the user has already been verified.
How AiTM Phishing Works
A traditional phishing page is usually a fake login screen designed to collect credentials. AiTM phishing is more advanced.
Instead of showing a static fake page, the attacker uses a live proxy between the user and the real service. The user believes they are signing into Microsoft 365, Google Workspace, or another legitimate platform. The page behaves normally because the attacker is relaying the login process in real time.
The user enters credentials. The real service sends the MFA prompt. The user approves it. Then the platform issues a session cookie, which tells the application the user has successfully authenticated.
That session cookie is what the attacker wants.
Once the attacker has it, they may be able to replay the session and access the account without needing the password or another MFA prompt.
Why Standard MFA Can Fall Short
MFA is still critical. It blocks a large amount of basic credential theft and should be enforced across every business account.
The problem is that standard MFA protects the login event. AiTM attacks target what happens after login.
Once a session is active, many cloud applications do not ask for MFA again unless a risk condition triggers it. If the attacker can steal the session token, they may be able to act as the legitimate user inside an already trusted session.
This is why MFA should be treated as a baseline, not a finish line.
Modern identity security also needs phishing-resistant authentication, tighter session policies, device trust, conditional access, and monitoring that can detect suspicious activity after the login occurs.
What Happens After a Session Is Stolen
AiTM attacks can be quiet.
Because the attacker is using a valid session, there may not be obvious failed login attempts or repeated MFA challenges. The activity can look normal at first, especially if monitoring is limited.
Once inside, attackers may create inbox rules, monitor email conversations, access files, change account settings, register new authentication methods, or use the trusted account to target other employees, clients, or vendors.
This is especially risky for finance, leadership, HR, and administrative accounts because those users often have access to sensitive communication and business-critical systems.
MFA Bypass Is a Growing Concern for Buffalo Organizations
For businesses across Buffalo and Western New York, this risk often shows up through everyday cloud accounts.
A user receives what looks like a routine Microsoft 365 notice, shared document alert, payroll message, or vendor communication. They click, sign in, approve MFA, and move on.
That normal behavior is exactly what AiTM phishing is designed to exploit.
This is not a user awareness issue alone. Training matters, but businesses also need technical controls that reduce the impact when someone makes a mistake.
How to Reduce AiTM Risk
Start by strengthening authentication. Where possible, move toward phishing-resistant MFA such as passkeys or FIDO2 security keys. These methods help bind authentication to the legitimate site, making proxy-based phishing much harder to complete.
Next, tighten conditional access policies. Require managed, compliant devices for sensitive systems. Add extra checks for risky locations, unusual behavior, or administrative actions. Shorten session lifetimes for privileged accounts and require re-authentication for high-risk activity.
Monitoring also matters. Watch for new inbox rules, unfamiliar MFA registrations, unusual file access, impossible travel, and activity that does not match the user’s normal behavior.
Finally, train employees to recognize that a working MFA prompt does not automatically mean a page is safe. The URL still matters. So does the context of the request.
Protect the Session, Not Just the Login
MFA is essential, but it is not the whole strategy.
AiTM phishing proves that attackers are not only trying to steal passwords anymore. They are trying to steal trust after authentication has already happened.
The businesses that reduce this risk are the ones that protect identity in layers. Strong MFA, trusted devices, conditional access, session controls, and monitoring all work together.
That is how you move from checking a security box to actually protecting the account.
Â