Microsoft Unveils New Tactics to Thwart AiTM Attacks

Microsoft has published new research outlining advanced defensive strategies to counter the growing threat of Adversary-in-the-Middle (AiTM) attacks, which are becoming increasingly prevalent in cloud-based enterprise environments. These attacks exploit proxy servers to intercept authentication flows, effectively bypassing multifactor authentication (MFA) through phishing-as-a-service platforms such as Evilginx.

High-profile threat groups, including Storm-0485 and Star Blizzard, have adopted AiTM tactics for large-scale credential theft. Storm-0485, in particular, uses obfuscated Google AMP URLs and lures themed around LinkedIn verification and payment notices to deceive users. Meanwhile, Storm-0539 targets retail firms, leveraging internal communications to craft credible phishing emails.

Microsoft warns that these actors exploit stolen session tokens to maintain persistent access and move laterally across networks. Emerging AiTM techniques now incorporate brief, time-sensitive payloads and artificial intelligence to enhance social engineering. These advancements complicate detection efforts and highlight the need for continuous monitoring and layered identity protection, especially in hybrid cloud infrastructures.