Resources

What is Adversary-in-the-Middle?

Adversary-in-the-Middle (AiTM) is a technique for bypassing verification in login chains. Fraudsters insert themselves between two devices to intercept credentials, session cookies, and transmitted data, frequently bypassing multi-factor authentication.

Arsen Team
 minutes read
What is Adversary-in-the-Middle?

Adversary-in-the-Middle (AiTM) appears across Initial Access, Positioning, and Execution tactics in the MITRE F3 Framework. It describes fraud actors positioning themselves between a victim and a legitimate service to intercept or manipulate communications.

How does Adversary-in-the-Middle work?

Fraud actors exploit common network protocols (ARP, DNS, LLMNR) to force a device to route traffic through an attacker-controlled system. Once positioned, they can:

  • Collect credentials entered by the victim in real time
  • Capture session cookies and replay them to authenticate without the victim's password
  • Manipulate transmitted data, altering transaction amounts or account details
  • Bypass MFA by relaying the OTP or approval before the victim's session expires

Tools like Evilginx2 and Muraena are openly available frameworks that implement AiTM as reverse proxies, specifically designed for use in phishing campaigns.

A phishing link that routes the victim through an AiTM proxy can harvest both the password and the MFA token in a single interaction. This is why simulating only password-theft scenarios is insufficient: employees need to recognise that clicking a link is dangerous even when MFA is active.

Key takeaways

  • AiTM appears under Initial Access, Positioning, and Execution in MITRE F3.
  • Attackers intercept credentials, session cookies, and live traffic between victim and service.
  • AiTM can bypass MFA by relaying OTPs in real time.
  • Open-source tools (Evilginx2, Muraena) make AiTM accessible to low-sophistication attackers.
  • Phishing is the primary delivery mechanism to lure victims into AiTM proxies.

What is MITRE Fight Fraud Framework™ (F3)?

The MITRE Fight Fraud Framework (F3) is a curated knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Developed by MITRE's Center for Threat-Informed Defense in collaboration with FS-ISAC, JPMorganChase, and Lloyds Banking Group, it provides a common language for fraud-fusion teams to describe, detect, and prevent financial fraud. F3 is modeled after MITRE ATT&CK® and focuses on banking institutions as its initial scope.


Book a demo

Discover why Arsen is the go-to platform for helping CISOs, security teams, and IT leaders protect their organizations against social engineering.

Request a demo

Frequently Asked Questions

Yes. Because the attacker relays both the password and the MFA token in real time, standard TOTP and push-based MFA are bypassed. Phishing-resistant MFA (FIDO2/passkeys) is the primary technical countermeasure.

Evilginx2 and Muraena are widely used open-source reverse-proxy frameworks. They are also frequently embedded in phishing-as-a-service kits sold on underground markets.

Training should emphasise that MFA is not a reason to trust a link. Employees should be shown realistic phishing simulations that demonstrate how AiTM proxies steal sessions, reinforcing the reflex to verify URLs directly.

AiTM describes fraud actors positioning themselves between a victim and a target service to intercept credentials, session cookies, or transmitted data, often using network protocol abuse or reverse-proxy tools.

Continue reading