Skip to content
resources · cybersecurity

MFA Alone Is No Longer Enough. Here's What April's AiTM Campaign Changed.

Adam Gleason

Adam Gleason

May 10, 2026 ·3 min read

In mid-April 2026, Microsoft's threat intelligence team disclosed an Adversary-in-the-Middle (AiTM) phishing campaign that hit roughly 35,000 users across 13,000 organisations in 26 countries between April 14 and 16. The vast majority of targets — about 92% — were in the United States. The attackers weren't trying to steal passwords. They were stealing the authenticated session tokens that browsers use to stay logged in after MFA. Those tokens were then replayed against Microsoft 365 to access mailboxes, files, and Teams — with the legitimate MFA prompt already satisfied. Microsoft tied the infrastructure to overlapping phishing-as-a-service kits including Tycoon 2FA, Kratos (formerly Sneaky 2FA), and EvilTokens.

What it means for SMBs

For years, the security advice for small businesses has been straightforward: turn on MFA everywhere and you'll stop the vast majority of credential-theft attacks. That advice was correct, and it's still mostly correct — most attacks targeting SMBs still get blocked by basic MFA. But the April campaign confirms what defenders have been warning about for over a year: AiTM kits have industrialised. EvilTokens reportedly sells for around $1,500 with a $500 maintenance fee. Tycoon 2FA is similarly priced. That puts MFA-bypass capability inside the budget of any motivated mid-tier attacker, not just nation-states.

The mechanics are worth understanding briefly. In an AiTM attack, the victim clicks a phishing link and lands on a fake Microsoft login page. That page is a real-time proxy — every keystroke, including the MFA code, is forwarded to the real Microsoft sign-in. Microsoft sees a legitimate login from the proxy, returns a valid session token, and the attacker grabs the token before it ever reaches the victim. The victim ends up on a normal-looking Office page. They have no idea anything happened.

The defensive implication is uncomfortable: if your only authentication factor is "password plus an SMS code or authenticator app push," you are exposed. The attack works against TOTP codes, push approvals, and SMS one-time passwords equally — because none of those factors prevent the proxy from relaying them.

What to do about it

Three changes worth making this quarter:

  • Move high-risk accounts to phishing-resistant MFA. Hardware security keys (YubiKey, Feitian) and passkeys are the only widely available MFA factors that AiTM kits can't replay. Microsoft is rolling out passkey support across Entra ID in late May 2026 — get on the roadmap. Executives, admins, and anyone with access to financial systems should be first.
  • Turn on conditional access policies that detect token replay. Microsoft 365 Business Premium and above support sign-in risk policies that flag impossible-travel logins, unfamiliar device fingerprints, and anomalous session behaviour. Many tenants have the licence but not the policy.
  • Train the team on the new failure mode. Old phishing training said "look for the green padlock and check the URL." AiTM pages have real padlocks and almost-correct URLs. The new training is "if you're being asked to log in to Microsoft from an email link, close the tab and go to office.com directly."

Where we come in

Auditing whether your MFA actually withstands AiTM, deploying conditional access policies, and rolling out hardware keys or passkeys without breaking the user experience — that's the kind of work an SMB rarely has time to do well in-house. Get in touch if you'd like a security assessment that goes past the checkbox. We do this through our cybersecurity practice.