Adversary-in-the-middle phishing attacks surge globally in 2025

Cyber-criminals are increasingly weaponising adversary-in-the-middle (AitM) phishing techniques to bypass multi-factor authentication (MFA) and compromise corporate cloud accounts at unprecedented scale. New research from Sekoia.io’s Threat Detection & Research team reveals a sophisticated ecosystem of Phishing-as-a-Service (PhaaS) platforms that have democratised advanced cyber-attacks, requiring minimal technical expertise while generating substantial profits.

 

The comprehensive global analysis, spanning January to April 2025, identifies eleven major AitM phishing kits currently threatening organisations worldwide. These tools primarily target Microsoft 365 and Google accounts, with successful compromises frequently leading to business email compromise (BEC) operations, financial fraud and ransomware attacks.

 

The AitM phishing threat landscape

 

Unlike traditional phishing attacks, which simply harvest credentials, AitM techniques intercept authentication sessions in real time. When victims enter their username, password and MFA code on fraudulent login pages, attackers simultaneously relay this information to legitimate authentication services while capturing the returned session cookies. This allows cyber-criminals to replay authenticated sessions without requiring additional verification.

 

Sekoia.io’s research reveals that the most prominent threats include Tycoon 2FA, Storm-1167, NakedPages, Sneaky 2FA, EvilProxy, and Evilginx. Tycoon 2FA emerged as the most widespread platform, earning a 4.8 out of 5 threat score based on infrastructure monitoring, detection telemetry and threat-hunting activities.

 

The PhaaS model has transformed cyber-crime by offering subscription-based access to sophisticated phishing capabilities for $100 to $1,000 monthly. These services provide comprehensive attack frameworks including email templates, anti-bot protection, campaign management dashboards and data forwarding to encrypted messaging platforms such as Telegram.

 

Evolving attack techniques

 

Threat actors have rapidly adapted their distribution methods throughout 2024 and early 2025. While QR code-embedded documents dominated campaigns in 2023, attackers have increasingly shifted toward HTML attachments that execute JavaScript to render phishing pages directly. Most recently, malicious SVG attachments have emerged as the preferred vector, with Sekoia.io observing a significant surge in their use by April 2025.

 

These evolution patterns reflect cyber-criminals’ constant efforts to evade email security solutions and improve campaign success rates. The integration of traffic distribution systems (TDS) and sophisticated anti-bot mechanisms further enhances attack effectiveness by ensuring phishing pages only display to likely targets while filtering out security scanners and analysis environments.

 

Business impact and monetisation

 

Once corporate accounts are compromised, attackers typically conduct extensive reconnaissance before executing financial fraud. Common monetisation strategies include internal and external spearphishing using compromised accounts, data exfiltration from email systems and cloud storage, and various fraudulent transactions such as invoice manipulation and unauthorised fund transfers.

 

To maintain persistent access, cyber-criminals often add their own MFA methods to compromised accounts and establish email forwarding rules that redirect communications to attacker-controlled addresses. This ensures continued access even after victims reset their credentials or session tokens are revoked.

 

The research highlights how AitM phishing has evolved beyond financially motivated crimes, with nation-state actors including Russian and Chinese espionage groups adopting these techniques for intelligence-gathering operations.

 

Detection and mitigation challenges

 

Sekoia.io’s analysis reveals significant challenges in detecting and preventing AitM attacks. The use of legitimate services for redirection, exploitation of open redirect vulnerabilities and sophisticated traffic filtering makes traditional security controls less effective.

 

The research identifies key detection opportunities through anomalies in Microsoft Entra ID authentication logs, particularly inconsistencies in User-Agent and Application ID values during authentication attempts. However, the rapid evolution of attack techniques and the availability of turnkey PhaaS solutions continue to outpace many organisational security measures.

 

The cyber-crime ecosystem supporting AitM phishing has become increasingly professional, with operators providing comprehensive customer support, regular software updates and community forums where affiliates can collaborate and share techniques.

 

Implications for organisations

 

The Sekoia.io findings underscore the critical need for organisations to enhance their cyber-security postures beyond traditional MFA implementations. The research demonstrates that conventional authentication protections are insufficient against modern AitM techniques, requiring more sophisticated detection capabilities and employee awareness training.

 

Security teams must prioritise monitoring authentication anomalies, implementing advanced email security solutions capable of detecting malicious attachments and establishing incident response procedures specifically designed for session token compromise scenarios.

 

The global scale of AitM phishing operations, with hundreds of active affiliates operating across multiple continents, represents a persistent and evolving threat to organisations of all sizes. The low barrier to entry created by PhaaS platforms ensures continued growth in attack volume and sophistication.

---

For comprehensive technical details, detection signatures and investigative resources on the eleven most prevalent AitM phishing kits, access the complete research report and technical artifacts here

---

Original research: Quentin Bourgue, Grégoire Clermont, Sekoia TDR Team