Beyond MFA: How Phishing-as-a-Service Kits Automate Session Hijacking

TLDR: Adversary-in-the-Middle (AiTM) attacks have evolved from manual proxying to automated, high-volume Phishing-as-a-Service (PhaaS) operations. These kits bypass MFA by capturing live session tokens, allowing attackers to maintain access for days without triggering standard anomaly alerts. Defenders must move beyond simple MFA and implement device-bound authentication and conditional access policies to mitigate this persistent threat.

Modern phishing has moved far beyond the "Nigerian Prince" era of static credential harvesting. Today, the most effective campaigns rely on AiTM techniques that treat multi-factor authentication (MFA) as a minor hurdle rather than a security boundary. By deploying automated, low-cost kits, attackers are now able to intercept live session tokens in real-time, effectively turning a victim’s successful login into a full account takeover.

The Mechanics of Modern AiTM Phishing

At its core, an AiTM attack functions as a transparent proxy between the victim and the legitimate service, such as Microsoft 365. The attacker does not just steal a password; they capture the session cookie generated after the user completes the MFA challenge. Because the attacker is proxying the entire authentication flow, the service provider sees a valid, authenticated session.

There are two primary methods currently dominating the landscape:

1. Reverse Proxy: The attacker uses a tool like Evilginx or similar frameworks to proxy the entire traffic flow. The victim interacts with a phishing page that looks and acts exactly like the real login portal. Once the victim authenticates and completes MFA, the attacker captures the session token and redirects the user to a legitimate site, such as office.com, to minimize suspicion.
2. Synchronous Relay: This method is often favored by cheaper, automated kits. The phishing page acts as a fake form that relays the victim's credentials to the attacker's backend server. The attacker’s server then performs the actual authentication against the legitimate service. The victim is left waiting for the result, while the attacker gains the session.

Why These Kits Are Winning

The rise of PhaaS platforms has commoditized these attacks. For a few hundred pounds a month, an attacker gains access to a pre-packaged, "turnkey" infrastructure. These kits include everything from automated domain registration to help-desk functionality for when a victim gets suspicious.

The technical sophistication of these kits is increasing. Many now include:

• Anti-bot scripts: To prevent security researchers and automated scanners from analyzing the phishing infrastructure.
• Credential pre-checks: Validating credentials against the target service before the victim even reaches the MFA prompt.
• Session token exfiltration: Automatically sending captured cookies to a Telegram bot or a centralized management panel.

For a pentester, the most critical takeaway is the "post-compromise" phase. Once the attacker has the session token, they don't need to re-authenticate. They can import the cookie into their own browser and access the victim's mailbox or cloud storage as if they were the user. Because the session is already established, the service provider rarely triggers an "impossible travel" or "new device" alert.

Detection and Defensive Strategies

Detecting AiTM is notoriously difficult because the traffic often originates from the same IP ranges or user agents as the victim. However, there are specific anomalies that can be surfaced through OWASP-aligned authentication monitoring:

• Header and Fingerprint Mismatches: While the attacker may proxy the traffic, they often fail to perfectly replicate the TLS fingerprint or specific HTTP headers of the victim's browser.
• Non-Microsoft API Calls: Monitor for unusual calls to Microsoft APIs that originate from infrastructure not associated with the legitimate login flow.
• Session Metadata: Look for discrepancies in the session metadata. If a session is established from a known corporate IP but later exhibits behavior consistent with a different device or network, it is a high-fidelity indicator of compromise.

The most effective defense is to eliminate the reliance on phishable MFA. Implementing FIDO2-based authentication is the single most effective way to stop AiTM attacks. Because FIDO2 requires the device to cryptographically prove its identity to the origin, the attacker cannot relay the authentication request.

If your organization is still using push-based MFA, you are effectively leaving the door open. Conditional access policies that enforce device compliance—ensuring that only managed, compliant devices can access sensitive cloud resources—are no longer optional.

Attackers are currently operating with a high return on investment, spending minimal effort to bypass the security controls that most organizations rely on. As a researcher or pentester, your focus should be on identifying where these session tokens are being exfiltrated and how your organization’s conditional access policies can be tightened to invalidate sessions that originate from non-compliant devices. The goal is to make the cost of the attack higher than the value of the data being stolen.