"But we have MFA" is the sentence we hear most often after a Microsoft 365 breach. The uncomfortable reality in 2026 is that multi-factor authentication, while essential, is routinely bypassed by adversary-in-the-middle (AiTM) phishing. Understanding the mechanism is the first step to defending against it.
How adversary-in-the-middle phishing works
In a traditional phishing attack, the criminal captures your password on a fake login page. AiTM goes a step further. The phishing page acts as a reverse proxy sitting between you and the real Microsoft login. You enter your username, password, and even complete your MFA prompt — and the proxy relays each step to the genuine service in real time. Because the login actually succeeds, Microsoft issues a valid session token, and the attacker's proxy captures it.
With that stolen session token, the attacker can access the mailbox directly, without ever needing the password or triggering MFA again. The session looks legitimate because, technically, it is.
Why this matters more every quarter
Phishing-as-a-service kits have made AiTM push-button. Platforms such as Tycoon2FA lease ready-made AiTM infrastructure, and in 2026 the FBI warned about Kali365, a subscription kit sold on Telegram from around $250 that hijacks Microsoft 365 accounts without touching the password. A single AiTM campaign observed in April 2026 targeted more than 35,000 users across 13,000+ organizations. Token theft is now the dominant path into M365 tenants.
What AiTM looks like in your logs
The tell-tale pattern is a successful sign-in that satisfied MFA but originated from an unusual IP, ASN, or geography — often shortly after the user clicked a link. You may then see token reuse from a different location, new inbox rules created, and mailbox access that doesn't match the user's normal hours. Correlating sign-in logs with MailItemsAccessed events exposes the hijacked session.
How to defend against AiTM
- Phishing-resistant MFA. FIDO2 security keys, Windows Hello for Business, and passkeys are bound to the legitimate domain and cannot be proxied — this is the single most effective control.
- Conditional Access. Restrict sign-ins to compliant/managed devices and known locations; require token protection where supported.
- Continuous Access Evaluation (CAE). Shortens the window in which a stolen token is useful by re-evaluating session validity.
- Fast detection. Alert on impossible travel and post-MFA anomalies, and be ready to revoke sessions instantly.
If you suspect a token was stolen
Changing the password will not help on its own — you must revoke the account's sessions in Microsoft Entra ID. Then investigate the dwell time: what the session accessed and whether persistence (inbox rules, OAuth grants) was established. BreachLens reconstructs that token-theft timeline from your M365 logs automatically.