MFA Bypass Alert: AitM Phishing Surges with Industrialized PhaaS Kits Targeting Microsoft 365 & Google Accounts!
Ddos 
A new global threat assessment from Sekoia.io’s Threat Detection & Research (TDR) team reveals an escalation in Adversary-in-the-Middle (AitM) phishing campaigns, driven by the industrial-scale growth of Phishing-as-a-Service (PhaaS) kits targeting Microsoft 365 and Google accounts.
In their “Global analysis of Adversary-in-the-Middle phishing threats” report, Sekoia warns that these kits are now “readily available within the cybercrime ecosystem, offered at low cost and requiring minimal technical expertise,” ushering in a new era of highly scalable Business Email Compromise (BEC) operations.
AitM phishing attacks use reverse proxies or synchronous relays to steal session cookies in real time, bypassing multi-factor authentication (MFA). “With that cookie,” the report explains, “an attacker can replay the session and access the victim’s account without needing to perform any further authentication.”
This makes AitM phishing not just a tool for credential harvesting, but a direct vector for high-value fraud, espionage, and ransomware attacks.
Sekoia’s researchers observed a booming underground market of PhaaS offerings — kits that allow even low-skilled cybercriminals to deploy convincing phishing portals with built-in anti-bot protection, automated redirection, and Telegram integration for data exfiltration.
Prominent PhaaS platforms include Tycoon 2FA, Storm-1167, NakedPages, EvilProxy, and newer contenders like Sneaky 2FA and Mamba 2FA. According to Sekoia’s telemetry data, Tycoon 2FA leads the pack in 2025, with weekly updates and hundreds of affiliated domains. Its infrastructure even mimics CAPTCHA services to thwart detection: Fake Cloudflare Turnstile pages, fake hCaptcha pages, fake reCAPTCHA pages.
The delivery methods of these attacks have also evolved. “Since 2024, we have seen a rise in the use of HTML attachments… and in early 2025, a significant surge in the use of malicious SVG attachments,” the report details. These files often contain JavaScript or xlink:href redirection to AitM phishing portals, easily bypassing traditional email defenses.
AitM campaigns typically begin with social engineering lures around HR policies, tax deadlines, or payroll changes. Spoofed emails impersonating Microsoft or Google prompt users to click links or download attachments, often with urgent or confidential language to bypass skepticism.
Once inside, attackers don’t stop at cookie theft. They often establish persistence by adding secondary MFA methods, creating email forwarding rules, and conducting internal reconnaissance. The result is not just a single breach — but a prolonged, invisible compromise.
“Successful financial fraud demands a comprehensive understanding of the victim’s role… Adversaries may spend days or weeks on reconnaissance,” notes the report.
To combat these threats, Sekoia has developed a rich set of detection rules focusing on anomalies in Microsoft Entra ID logs, domain name patterns, and behavioral signals. Their telemetry relies on two pillars: adversary infrastructure tracking and anomaly-based pattern recognition.
Yet, the researchers caution that even these efforts face biases. “Despite this inherent bias,” the team writes, “the ranking remains informative and helps prioritise detection and monitoring efforts on the most significant threats.”
Donate