TA0001 · ATT&CK Tactic
Initial Access
Establish a foothold in the target environment. AiTM phishing bypasses MFA entirely — the session cookie is captured mid-flight, leaving the victim with a valid authenticated session unaware of compromise.
T1566.002Spearphishing Link — AiTM Proxy
Adversary-in-the-Middle phishing relays the victim's MFA in real time. The attacker operates a reverse proxy (Evilginx) that sits between the victim and the legitimate Microsoft 365 login — MFA is completed by the victim but the session cookie goes to the attacker. Password changes don't invalidate the token.
Attack SimulationStep 1 / 3
# Step 1: Select high-value target
Recon identified Finance Sr. Manager m.chen — select target for spear-phish:
MailGuard Alert — High
Foyl MailGuard · THREAT-001HIGH
"rule": "AiTM Phishing Domain Detected", "sender": "billing@invoices-ficsit.io", "sender_domain_age_days": 3, "target": "m.chen@ficsit-pioneer.corp", "subject": "Invoice #INV-2024-0847 — Action Required", "link_domain": "invoices-ficsit.io", "lookalike_score": 0.94, "mfa_bypass_capable": true, "session_cookie_stolen": true