You've invested in multi-factor authentication. Your employees use those approval codes on their phones. You thought your accounts were protected.
They're not.
A sophisticated attack method called Adversary-in-the-Middle (AiTM) is bypassing MFA at an alarming rate. The numbers should wake every business leader up:
- 146% increase in AiTM attacks throughout 2024 (Microsoft Digital Defense Report 2024)
- 39,000 incidents detected daily by Microsoft alone (Microsoft Digital Defense Report 2024)
- Over 10,000 organizations have been targeted by AiTM phishing campaigns globally (Microsoft Security)
- 50% of security incidents investigated by Cisco in Q1 2024 were MFA bypass attacks (Cisco Talos)
How It Works (The Simple Version)
Hackers place themselves between your employee and your login system. When your employee enters their password and approves the MFA request, everything looks normal, but the attacker is capturing their live session in real time. Once they have that session token, they can walk right into your systems without ever needing the password or MFA code.
Think of it like someone copying your office key while you're unlocking the door. You don't even know it happened.
Why This Is Exploding Now
These attacks used to require technical expertise. Now? Cybercriminals can subscribe to "Phishing-as-a-Service" platforms for as little as $120 and launch sophisticated MFA bypass attacks against your organization. The tools are ready-made, widely available, and increasingly automated.
What You Need to Do
MFA is still critical, but it's no longer enough on its own. Organizations need to add:
- Session monitoring that detects unusual login patterns
- Phishing-resistant authentication methods (hardware keys, biometrics)
- Shorter session timeouts that require re-authentication
- Employee training on recognizing sophisticated phishing attempts
For IT and security teams: We've created a detailed three-part video series demonstrating how these attacks work and what attackers can do once they've gained access:
Part 1
In Part 1 of our three-part series, we reveal how an Adversary-in-the-Middle (AiTM) attack can intercept your login, bypass MFA, and take over your session, all without your knowledge. This installment features a side-by-side view that compares exactly what a hacker sees versus what the victim sees in real time during the attack.
Part 2
In Part 2, we show how attackers exploit full access: reading every email, mapping org charts, planting malicious calendar invites, and stealing sensitive files. This is the silent damage most companies never see until it’s too late.
Part 3
In Part 3, we show how hackers use stolen email access to reset passwords, hide alerts, and quietly take over accounts. In our demo we gained access to the victim’s Amazon account, but the process would be similar for most cloud based solutions – including those storing sensitive data.
The attackers have adapted. If your security strategy hasn't, you're already behind.
American PCS helps organizations strengthen their authentication security beyond basic MFA. Contact us for an assessment of your vulnerability to these advanced attacks.
