The rapid maturation of cybersecurity defenses has forced threat actors to abandon simplistic credential harvesting in favor of highly sophisticated Adversary-in-the-Middle techniques that intercept live authentication sessions. Unlike traditional phishing, which merely seeks to trick a user into revealing a password, these advanced operations position themselves as a transparent proxy between the victim and a legitimate service provider like Microsoft 365 or Google Workspace. By mirroring the actual login page in real time, the attacker can capture not only the primary credentials but also the secondary multi-factor authentication codes or push notification approvals provided by the user. The primary objective is to obtain the session token, a digital key generated after a successful login that maintains the user’s authenticated state. Once this token is successfully intercepted, the attacker can inject it into their own browser to gain full access to the corporate account, effectively bypassing the need for any further identity verification. This structural shift in cybercrime methodology has rendered many standard security protocols insufficient, as the defense is no longer about protecting a static password but about securing the integrity of the entire communication channel between the client and the server.
The Lexfo Investigation: Unmasking the Proxy Ecosystem
A significant breakthrough in understanding these operations occurred when a security firm investigated an Egyptian threat actor known as “codemado,” who inadvertently exposed a massive cache of internal data. This exposure was the result of a critical operational security blunder involving a Python-based web server left open on a public port, allowing researchers to download a complete toolkit used for high-frequency phishing campaigns. The recovered files provided a rare glimpse into the inner workings of modern cybercrime, revealing detailed phishing configurations, “combolists” of stolen credentials, and extensive session logs from compromised corporate accounts. This discovery moved beyond a single actor, highlighting an interconnected network of operators including “mail-argenta” and “saroula01” who collaborate or share resources to target enterprise environments across North America and Europe. These groups frequently utilize customized iterations of open-source frameworks such as Evilginx, which have been modified to improve their resilience against detection and their ability to scale across diverse cloud infrastructures. The investigation confirmed that these actors are not just isolated hobbyists but are part of a professionalized ecosystem that treats session hijacking as a streamlined, repeatable business process.
The evidence retrieved from the exposed servers demonstrated a high level of operational coordination, where different actors specialized in specific stages of the attack lifecycle. For instance, while some focused on the development of the proxy infrastructure, others managed the distribution of phishing lures or the subsequent exploitation of stolen session tokens. The “codemado” data included scripts designed to automate the deployment of phishing pages across various hosting providers, ensuring that if one site was taken down, another could be spun up within minutes. This modular approach to infrastructure management allows these threat actors to maintain a persistent presence even when targeted by security vendors and law enforcement. Furthermore, the logs showed a heavy emphasis on targeting high-value employees within corporate hierarchies, such as IT administrators and finance department staff, where a single successful session hijack could lead to significant financial or data-driven consequences. The level of detail found in the configuration files suggests that these operators spend considerable time researching their targets to ensure the phishing lures are indistinguishable from legitimate internal communications, thereby increasing the probability of a successful user interaction.
Advanced Evasion: Subverting Integrated Security Scanners
To maintain the longevity of their phishing infrastructure, attackers have developed sophisticated technical layers designed to bypass automated security scanners and browser-based protections. One of the most prominent techniques used in the “red-queen” fork of popular phishing kits involves the dynamic manipulation of Subresource Integrity checks. These checks are a security feature in modern browsers that ensure files fetched from a server have not been tampered with; however, AiTM kits can now intercept the HTML as it passes through the proxy and rename attributes like “crossorigin” and “integrity” on the fly. By stripping these attributes or replacing them with expected values, the attacker ensures the browser continues to execute malicious scripts without triggering a security warning. This capability is crucial for injecting custom tracking scripts or credential-stealing code into a legitimate-looking page without alerting the user or the underlying platform. Such methods demonstrate a deep understanding of browser security mechanisms, allowing attackers to remain invisible even when their traffic is being inspected by mid-tier security solutions.
Beyond script manipulation, these advanced kits integrate custom URL-rewriting engines that serve as a primary defense against path-based detection systems. Traditional security filters often rely on identifying known malicious URLs or suspicious patterns in the login path to block access to phishing sites. To counter this, modern AiTM infrastructure employs a dynamic rewriting process that masks the true identity of the phishing server by generating unique, randomized URLs for every victim. This ensures that even if one specific link is flagged and blocked, the rest of the campaign remains operational. Moreover, these rewriting engines can detect the geographic location and device type of the incoming visitor, allowing the server to present a benign page to automated bots or security researchers while serving the actual phishing content to the intended victim. This selective presentation, often referred to as cloaking, significantly increases the complexity of automated threat hunting and extends the lifespan of the malicious domains. By evolving these proxy mechanics, threat actors have created a moving target that consistently outpaces the signature-based detection methods relied upon by many organizations.
Session Persistence: The Danger of Long-Lived Tokens
The true value of an AiTM attack lies not in the initial access but in the ability to maintain a persistent presence within a compromised environment. Threat actors have become adept at configuring captured session cookies with an extended Time-to-Live, sometimes reaching up to one year for specific Microsoft services. This persistence allows an attacker to remain active in a corporate account for months after the initial phish, often without the user’s knowledge. Because the stolen session token represents a “verified” state, the attacker can move laterally through the organization’s cloud resources, accessing sensitive emails, financial documents, and internal databases without ever being prompted for a password or MFA challenge. This level of access is particularly devastating because it circumvents traditional password resets; even if a user changes their credentials, the existing session token may remain valid as long as the underlying authentication cookie is active. This creates a scenario where the attacker has a permanent backdoor into the company, providing them with ample time to plan and execute secondary attacks such as business email compromise or ransomware deployment. The absence of Continuous Access Evaluation policies in many corporate environments further exacerbates the risks associated with long-lived session tokens. CAE is a modern security standard that allows an identity provider to revoke a session in real time based on specific triggers, such as a change in the user’s IP address or the detection of a suspicious login location. Without these policies, a stolen token remains a valid credential regardless of where it is being used from, meaning an attacker in a different country can utilize a token stolen from a domestic employee without triggering an immediate block. The threat actors involved in the “mail-argenta” operations specifically looked for organizations that lacked these real-time revocation capabilities, as it guaranteed a longer dwell time for their activities. This gap in security architecture emphasizes that identity management must move beyond the initial login phase and focus on the continuous monitoring of the session’s integrity. As long as session tokens are treated as permanent passes rather than temporary permissions, the impact of a single successful AiTM attack will continue to be a significant threat to long-term organizational security.
Device Flow Abuse: Circumventing Hardware Protections
A more insidious variation of the AiTM technique, often associated with the “black-queen” variant, involves the abuse of the Microsoft OAuth device code flow. Originally designed to facilitate logins on devices with limited input capabilities, such as smart TVs or IoT hardware, this workflow has been repurposed by attackers to trick users into authorizing malicious sessions on their own. In this attack scenario, the victim is directed to a legitimate Microsoft login page and prompted to enter a specific code provided by the attacker’s phishing site. Because the user is interacting directly with the official Microsoft domain, their browser and security software often fail to recognize the malicious intent of the transaction. The victim, believing they are performing a standard authentication step for a legitimate business application, enters the code and completes the MFA prompt on their own trusted device. This action inadvertently authorizes the attacker’s backend to receive a fully authenticated session token, providing the adversary with total control over the victim’s account without ever needing to proxy the actual login traffic. This method is particularly dangerous because it effectively breaks the origin binding that protects advanced authentication methods like FIDO2 security keys and passkeys. Hardware-based security keys are designed to prevent phishing by ensuring that the authentication request comes from the expected domain; however, since the victim in a device code flow attack is actually visiting the genuine Microsoft site, the security key’s internal checks pass perfectly. The key validates the legitimate domain, the user provides their biometric or PIN, and the MFA requirement is satisfied. The attacker’s server, which has been polling the Microsoft token endpoint in the background, immediately receives the resulting session token once the user clears the prompt. This bypass illustrates a critical vulnerability in how modern authentication flows are architected, as the trust placed in a legitimate domain can be exploited to facilitate an unauthorized login. It highlights the fact that even the most secure hardware MFA cannot protect a user if they are being coerced into participating in a legitimate but misdirected authentication workflow.
Generative Models: AI as an Offensive Catalyst
The integration of artificial intelligence into the cybercrime lifecycle has significantly lowered the barrier to entry for developing and maintaining complex AiTM infrastructure. Forensic evidence from the investigation into the “codemado” and “saroula01” operations revealed that threat actors are actively using large language models to write “glue code” and refine their evasion techniques. Transcripts found on attacker-controlled servers documented numerous AI-driven coding sessions where operators sought assistance in building custom URL-rewriting engines and debugging malicious “phishlets” for the Evilginx framework. This use of AI allows even relatively low-skilled actors to produce sophisticated malware components that previously required deep technical expertise. By automating the generation of scripts that handle session injection and cookie manipulation, attackers can rapidly iterate on their tools, making it much harder for security vendors to develop consistent signatures. The speed at which these tools can be updated using generative AI ensures that the offensive side of the cybersecurity landscape remains highly agile and capable of responding to new defensive measures almost instantly.
Furthermore, some threat actors have begun utilizing uncensored or specialized AI APIs designed specifically to generate malicious content without the safety filters found in mainstream consumer models. These tools allow for the creation of highly convincing, personalized phishing lures that are tailored to the specific corporate culture and language of a target organization. Instead of generic templates, attackers can now generate unique lures for every employee, significantly increasing the likelihood that a user will fall victim to the trap. AI is also being used to automate the monitoring of stolen session tokens, checking for account activity and identifying high-value targets within the logs without human intervention. This shift toward AI-enhanced phishing represents a fundamental change in the threat landscape, where the volume and sophistication of attacks are no longer limited by the human resources of the criminal organization. The ability to use AI as a force multiplier means that a single motivated actor can now manage a global campaign that would have previously required a large team of developers and analysts.
Strategic Resilience: Moving Toward Phishing-Resistant Architectures
The evolving threat of Adversary-in-the-Middle attacks required a fundamental shift in how organizations approached identity and access management. Security leaders recognized that traditional multi-factor authentication was no longer a sufficient barrier against modern session hijacking techniques. To counter the proxy-based methods used by actors like “codemado,” many enterprises began the transition toward truly phishing-resistant MFA solutions, such as FIDO2 security keys and Windows Hello for Business. These technologies implemented a cryptographic binding between the authentication process and the specific domain of the service provider, which prevented an intermediary proxy from successfully intercepting and reusing the credentials. By ensuring that the authentication could only succeed if the user was on the actual, verified website, organizations effectively neutralized the core mechanism of the AiTM proxy. This architectural change was complemented by the deployment of Continuous Access Evaluation, which allowed security teams to monitor the health and context of a session in real time, revoking access immediately if a stolen token was detected being used from an unrecognized network or device. To address the specific risks posed by the abuse of legitimate device workflows, organizations implemented granular Conditional Access policies that restricted the use of high-risk authentication paths. Security teams moved to block the OAuth device code flow for the general workforce, limiting its availability only to specific, managed hardware like Teams meeting room devices or specialized IoT systems. This reduction in the attack surface ensured that users could no longer be tricked into authorizing malicious sessions through legitimate Microsoft portals. Additionally, the adoption of strict “trusted location” requirements ensured that even if an attacker managed to steal a session token, it could not be used from an unauthorized IP address or a non-compliant device. The security industry also placed a greater emphasis on monitoring sign-in logs for specific client IDs and unusual authentication patterns, allowing for the proactive identification of ongoing phishing campaigns. These combined efforts represented a holistic approach to defense that moved beyond simple password protection and focused on the continuous verification of every aspect of the user’s digital identity. Through the integration of phishing-resistant hardware and adaptive policy enforcement, the community developed a resilient framework capable of withstanding the sophisticated tactics of modern session-based threats.
