Adversary in the Middle (AitM): Post-Exploitation

**Executive summary:** This transcript captures a BHIS webcast detailing post‑exploitation tactics used after adversary‑in‑the‑middle SSO phishing, including creating email rules to suppress alerts, enrolling attacker MFA tokens (prefer TOTP), abusing web VDI/Microsoft cloud PCs for internal access, keeping sessions alive via tab reloading, enumerating/harvesting data via Microsoft Graph tooling (Graph Runner, RoadRecon, Azure Hound), and using device‑code authentication (TokenTactics) to obtain tokens. The presenters describe operational security tradeoffs, real testing success, and provide defensive controls: require MFA reauthentication for enrollment, prefer FIDO2/U2F tokens, disable or monitor device‑code flows, shorten session timeouts, and restrict browser‑based remote access.