Adversary-in-the-Middle Attacks: What You Need to Know
Cybercriminals are always looking for new ways to trick people, and one of the more sophisticated methods we’re seeing is the Adversary-in-the-Middle (AiTM) attack. This isn’t your typical spam—AiTM attacks take advantage of real, compromised accounts to slip malicious links into what look like ordinary business communications.
In our example email the sender appears legitimate, the subject line looks normal, and the file-sharing notification could easily pass as something from Microsoft 365 or Google Drive. But a closer look shows the telltale signs:
The recipient field is suspicious (sometimes even matching the sender).
The message uses a generic file-sharing notice instead of something specific.
The “Open” link directs to a malicious site disguised as a Microsoft or Google login.
This is just one way AiTM attacks work. Others may involve phishing pages that proxy your login in real time, bypassing multi-factor authentication, or malicious redirects buried in email threads. The goal is always the same: steal credentials and quietly monitor or hijack communications.
Why This Matters
What makes AiTM so dangerous is that the attacker inserts themselves into the middle of a conversation, often unnoticed. They can intercept sign-ins, forward emails, or manipulate financial transactions before you realize anything is wrong.
While MFA remains critical, attackers are getting better at working around traditional methods. This is why passkeys are becoming an important part of the conversation. Unlike passwords (and even some MFA codes), passkeys can’t be easily intercepted or replayed in an AiTM attack.
Staying Ahead
No single defense is enough on its own—it takes both technology and awareness. Training your team to spot red flags is one layer. Adopting stronger authentication methods like passkeys is another. And having continuous monitoring in place ensures that if an account is compromised, you’ll know about it before the damage spreads.
Did you know we offer Huntress Identity Threat Detection & Response (IDTR) to our clients? It’s designed specifically to spot attacks like this, monitoring for suspicious sign-ins and MFA bypass attempts. If you’d like to dive deeper into how these attacks work, Huntress has an excellent white paper here, and is a fully managed solution to protect your team from threats against your Microsoft 365 identities.
Key Takeaways
Enable and enforce MFA across your organization
Start planning your move toward passkeys for stronger authentication
Train employees to spot suspicious emails and red flags
Consider a service like Huntress IDTR for early warning and protection
