Intercepting MFA. Phishing and Adversary in The Middle attacks

This report examines Adversary-in-the-Middle (AiTM) phishing used to bypass Microsoft 365 MFA by proxying legitimate sign-ins, capturing session tokens, and pivoting into BEC activity, with observed artifacts in M365 logs (e.g., proxy IPs, atypical user agents, session reuse). It highlights common toolkits such as Evilginx and outlines mitigations including stronger Conditional Access configurations, Microsoft Defender anti-phishing presets, Safe Links/Attachments, URL filtering, password managers, geographic restrictions, and adoption of FIDO2/WebAuthn to achieve verifier impersonation resistance.