FK
FK94Security
NewsMarch 1, 20266 min read

New Phishing Technique Bypasses MFA - Here's How to Stay Safe

Adversary-in-the-middle phishing attacks can capture session tokens in real time, bypassing even app-based MFA. Learn how they work and what actually protects you.

A growing category of phishing attacks can now bypass traditional multi-factor authentication in real time. These are not theoretical. They are actively being used against corporate and individual targets, and they work against SMS codes, authenticator apps, and push notifications. Understanding how they work is the first step toward defending against them.

How adversary-in-the-middle (AitM) attacks work

Traditional phishing creates a fake login page that captures your username and password. AitM phishing goes further: it acts as a real-time proxy between you and the legitimate website.

  1. You receive a phishing email with a link to what looks like a legitimate login page.
  2. The phishing page is actually a reverse proxy. When you enter your credentials, it forwards them to the real site in real time.
  3. The real site sends an MFA prompt (SMS code, authenticator code, push notification). You complete the MFA step normally.
  4. The proxy captures the authenticated session cookie/token from the real site's response.
  5. The attacker now has your valid session token. They can use it to access your account without needing your password or MFA again, until the session expires.

Tools making this accessible

What makes this particularly dangerous is that it has been industrialized. Open-source tools and phishing-as-a-service platforms have made AitM attacks accessible to attackers with minimal technical skill:

  • Evilginx: An open-source framework that automates AitM phishing. It handles SSL certificates, captures credentials and session tokens, and can be deployed in minutes.
  • Modlishka: Another reverse proxy tool designed for phishing that captures tokens in real time.
  • Phishing-as-a-Service platforms: Criminal services that provide ready-made AitM kits targeting specific services (Microsoft 365, Google Workspace, banking sites).

What does NOT protect you

  • SMS codes: The proxy captures and forwards them in real time.
  • Authenticator app codes (TOTP): Same problem. The code is valid and gets used immediately by the proxy.
  • Push notifications: You approve the push on your phone, thinking the login is legitimate. The proxy captures the resulting session.
  • Being careful about passwords: The attack does not need you to make a password mistake. It captures the authenticated session after you do everything right.

What DOES protect you

Hardware security keys (FIDO2/WebAuthn)

Hardware keys like YubiKey and Google Titan Key are resistant to AitM attacks because they verify the domain of the website as part of the authentication protocol. When you insert or tap your security key, it checks that the domain matches the one it was registered with. A proxy on a different domain cannot pass this check, so the authentication fails.

This is not a theoretical advantage. It is the reason Google reported zero successful phishing attacks on its 85,000+ employees after mandating hardware keys company-wide.

Passkeys

Passkeys use the same FIDO2/WebAuthn protocol as hardware keys and inherit the same phishing resistance. They verify the website domain cryptographically, which means an AitM proxy cannot intercept the authentication.

Conditional access policies

For organizations, policies that restrict access based on device compliance, network location, or risk signals can limit the usefulness of stolen session tokens. Even if an attacker captures a token, they may not be able to use it from an unrecognized device or location.

How to detect if you have been targeted

  • Check the URL carefully. AitM phishing domains are often close to the real domain but not exact. Look for subtle misspellings, extra subdomains, or unusual TLDs.
  • Review recent account activity. If you suspect you clicked a suspicious link and authenticated, check your account's security activity for logins from unfamiliar locations or devices.
  • Revoke active sessions. Most services (Google, Microsoft, etc.) let you sign out of all active sessions. Do this if you suspect a compromise.
  • Check for account changes. Look for modified recovery options, new forwarding rules, new app authorizations, or changed security settings.

What to do now

For your most important accounts (email, financial, cloud storage), set up a hardware security key or passkey as your primary authentication method. This is the only consumer-grade defense that reliably stops AitM phishing.

For accounts that do not support FIDO2, continue using authenticator apps. They are still effective against traditional phishing, which remains far more common than AitM attacks. But understand that they are not a complete defense against sophisticated, targeted campaigns.

The authentication landscape is shifting. Passwords are becoming the weakest link, traditional MFA is no longer bulletproof, and phishing-resistant methods like passkeys and hardware keys are becoming essential rather than optional.

Need help with this?

If this article raised concerns about your own security, or if you need personalized guidance, book a 1:1 session with FK94 Security.

Book a 1:1 Session

Related articles

News

Why Small Businesses Are Prime Targets for Cyberattacks in 2026

6 min read

Security Tip

Me hackearon WhatsApp: guia completa para recuperar tu cuenta y protegerte

12 min read

Security Tip

5 Privacy Settings You Should Change on iPhone Right Now

5 min read

← Back to all articles

Get in touch

EmailRequest Audit