Adversary-in-the-Middle (AiTM)

A modern phishing kit that proxies traffic in real time between victim and the real service — defeating MFA.

AiTM kits (EvilProxy, Caffeine, Modlishka, Evilginx) sit between the victim and the real login page. When the victim enters credentials and the MFA code, the kit forwards them to the real site and steals the session cookie that gets returned.

Because the session cookie is fully valid, the attacker can replay it without needing the password or MFA code again. From the victim's perspective, the login succeeded normally.

Defense: phishing-resistant MFA (FIDO2/WebAuthn/passkeys), conditional access tied to device posture, and aggressive session-cookie lifetimes.

Related terms

Credential harvesting

The capture stage of a phishing attack — a fake login page that records whatever the victim types.

Got a URL you're unsure about?

Paste it into our free scanner — verdict in seconds, 10+ threat-intel sources.

Scan a URL →