Adversary-in-the-middle (AITM) is an attack in which cybercriminals attempt to compromise a user account by intercepting communication between the victim and the digital property they’re accessing. They’ve been on the rise ever since Microsoft warned of the trend in early 2023. Developers and adopters need to be aware of and vigilant about this threat because it’s being used to power “phishing-as-a-service” (PhaaS) schemes in which attackers conduct ongoing social engineering on a subscription basis.
Below, we’ll explain what AITM is, provide insights into how it works, and prescribe some best practices for detecting and mitigating the threat—especially through sound B2B authentication.
What is an adversary-in-the-middle (AITM) attack?
Per the MITRE ATT&CK database, AITM attacks are defined by perpetrators occupying a position between a target and its destination and manipulating that vantage point to collect information and set up additional attacks. AITM is closely related to man-in-the-middle (MITM), and the two terms are often used interchangeably. But, while MITM refers to all interception-like vectors, AITM specifically refers to set-ups for complex phishing and social engineering operations.
In addition, AITM attacks are often more sophisticated and dangerous than MITM, as attackers typically take a more active approach. In particular, MITRE notes that AITM attackers may force a device to communicate via a controlled platform or system, accelerating interception. In more baseline MITM attacks, cybercriminals may take a more passive approach and wait for a slip-up.
AITM is also similar to domain spoofing and similar phishing attacks in which users unwittingly input information on a website they believe to be legitimate. In AITM, the destination that users navigate to is legitimate, but their access to it is mediated and compromised.
These factors converge to make AITM one of the most dangerous cyberthreats, not least because it synergizes with other attack vectors to compromise sensitive data dynamically.
How AITM attacks exploit authentication systems
One of the reasons AITM is so dangerous is that it can bypass multi-factor authentication (MFA) and other protections. Attackers use reverse web proxies to capture and then forward credential inputs to a legitimate site. Or, in some cases, they set up and leverage a browser-in-the-middle (BiTM) program to take control of the user’s device directly through screen-share protocols.
Whichever techniques are used, cybercriminals can chain attacks together and use AITM to launch business email compromise (BEC) attacks and other multi-stage attacks on multiple targets.
For instance, Microsoft analyzed the attack chain of a high-stakes AITM and BEC attack:
Phase 1 – Phishing via a trusted vendor account delivered a malicious URL to victims.
Phase 2 – Clicking on said URL led to another malicious link used to steal information.
Phase 3 – Attackers presented a spoofed sign-in page to steal session tokens from users.
Phase 4 – Attackers signed in via stolen session cookies to impersonate the victims.
Phase 5 – Account settings were modified to add MFA methods to facilitate further access.
Phase 6 – Using a new session, changes were made to manipulate inbox settings.
Phase 7 – Attackers used the victim’s account to send further phishing emails.
Phase 8 – The attacker answered follow-ups to conceal their illegitimate position.
Phase 9 – Recipients of these phishing emails were engaged in further AITM.
Phase 10 – Phases 2 - 8 were repeated across other accounts targeted.
As this real-world example shows, AITM attacks are closely linked with other cyberthreats, as they both leverage interlinked attack vectors and can open up new vulnerabilities to target.
Best practices for defending against AITM attacks
Given the advantages of passwordless auth systems, it’s easy to assume that having a novel authentication protocol in place is enough to protect against threats like AITM. And, while upgraded authentication itself goes a long way toward preventing attacks, it works better when approached carefully.
In particular, three ways organizations can defend against AITM attacks include:
Improving on MFA with phishing resistance and session security
Establishing and leveraging granular conditional access policies
Monitoring continuously and proactively addressing threats
Let’s take a closer look at each of these tactics.
Implement robust MFA and session security
In the example from Microsoft above, subverting an MFA login provided the basis for what would become an extremely complex and wide-reaching AITM attack. Given MFA’s popularity and accessibility, along with its well-documented susceptibility to social engineering, developers utilizing it for login purposes should seek out advanced phishing-resistant MFA protocols.
There are several ways to make MFA more resistant to phishing and social engineering.
Some involve the use of more and/or better factors while avoiding easily compromisable ones, such as baseline SMS authentication or push notifications. Other methods include building risk analysis into the authentication protocol by monitoring user behaviors before and after login. Encrypting all communications between devices and platforms used for MFA provides a last line of defense, as it ensures data can’t be used by attackers, even if it is stolen, intercepted, or otherwise acquired.
Another key element of the attack chain detailed above was the attacker’s ability to steal and re-use session tokens. Revoking session tokens, such as through careful use of refresh token technology, is one of the best ways to prevent (and identify) the initial stages of an AITM attack.
Utilize conditional access policies
Another way to safeguard against AITM is to restrict and control access on the basis of a user’s identity. This includes methods like limiting authorization to one or a few accepted locations or IP addresses or requiring re-authentication if a location or other factor is not recognized. Device status can also play a role, and factors such as programs or users present on a network can also determine whether or not access is granted—or whether (or how) re-authentication is required.
One way to build these kinds of granular controls into an authentication system is to use attribute-based access control (ABAC), which determines authorization based on specific factors inherent to an access request. Examples include details about the user’s account, such as their role and the kinds of access it grants, along with details about the data being accessed, such as its sensitivity.
Unlike related systems like role-based access control (RBAC), ABAC offers the greatest flexibility in terms of factors analyzed. Any quality related to a subject, object, or action, the environment they coexist within, and applicable policies can be used in dynamic combinations to give organizations the utmost control over access sessions.
Monitor continuously for threats
A key component of effective session management is continuous monitoring. This includes visibility before and during authentication protocols and throughout access sessions, as well as after a session has ended and between them.
Detecting AITM and other attacks early is the best way to prevent them from manifesting full-blown, multi-stage incidents. Something as simple as requiring additional information or re-authentication when any irregular activity occurs (e.g., impactful changes to account settings) could have made a world of difference in the Microsoft AITM and BEC attack detailed above.
Monitoring amplifies password and passkey security no matter what authentication protocols are being used. Implementing visibility architecture allows organizations to see how accounts are being used and revoke or limit access if any early warning signs of an attack are evident.
Optimize authentication to prevent AITM attacks
Descope optimizes authentication for security across traditional (password) and passwordless protocols. Thanks to no-code workflows for secure authentication,these advanced features are easy for any developer to include in any software project and any adopter to leverage, irrespective of technical literacy. End-users can configure secure authentication settings with abstracted, accessible controls.
Curious how an MFA bypass attack occurs? Read our article discussing a recent series of MITM attempts against the customers of one organization.
Keep your finger on the pulse of authentication by following us on LinkedIn.
