GACS will never ask for your seed phrase, private keys, or payment. Always free.
GACS — Global Anti-Crime & Safety Logo
Security Explainer · 2026

MFA interception attacks, explained

Attackers no longer bother stealing passwords — they steal the whole authenticated session. Adversary-in-the-middle (AiTM) kits like Evilginx and EvilProxy run a reverse-proxy phishing page that relays your password and your MFA prompt to the real site in real time, then capture the session cookie the moment login succeeds. The end-to-end attack typically completes in under a minute, the victim sees a normal login experience, and the account is hijacked without the password ever changing. Here's how it works and the phishing-resistant defenses that actually stop it.

Seven defenses that actually stop MFA interception

  1. 1

    Switch to phishing-resistant MFA (passkeys or hardware keys)

    WebAuthn / FIDO2 passkeys and hardware security keys (YubiKey, Google Titan, Feitian) cryptographically bind the login to the real site's origin. A reverse-proxy phishing page like Evilginx or Modlishka lives on a different origin, so the key refuses to sign — the attack fails at step one. Turn on passkeys for email, banking, exchanges, password manager, and admin consoles first.

  2. 2

    Never log in from an email or text link

    AiTM kits only work if you land on their proxy. Type the URL yourself or use a bookmark / password-manager autofill. Password managers won't autofill on the wrong origin — when autofill silently fails, that's your warning the domain is fake.

  3. 3

    Inspect the address bar before you type a password

    Look for the exact root domain (microsoft.com, irs.gov, your bank). Watch for swapped letters (rnicrosoft, paypa1), extra subdomains (login-microsoft.security-check.com), and lookalike TLDs (.gov.co instead of .gov). If anything is off, close the tab and navigate manually.

  4. 4

    Replace SMS and TOTP codes where it matters

    SMS codes can be intercepted via SIM swap. TOTP codes (Google Authenticator, Authy) and push approvals can be relayed by AiTM in real time. Keep them as a fallback, but use passkeys or a hardware key as the primary factor on any account that holds money, identity, or admin power.

  5. 5

    Lock down sessions with Conditional Access and device binding

    In Microsoft 365 / Entra ID and Google Workspace, require compliant or managed devices, block legacy auth, and require reauthentication for risky sign-ins. Token-binding and device-bound session credentials make a stolen cookie useless on the attacker's browser.

  6. 6

    Monitor sessions and revoke aggressively

    Review 'Recent activity' / 'Sessions' weekly on email, banking, and cloud admin accounts. Sign out unknown sessions, rotate the password, and re-enroll MFA. Enterprises: enable continuous access evaluation (CAE) so token revocation takes effect in minutes, not hours.

  7. 7

    If you think a session was stolen, act in this order

    1) From a different device, sign out all sessions on the affected account. 2) Reset the password. 3) Remove any MFA methods you didn't add. 4) Check forwarding rules, OAuth app grants, and recovery email/phone — attackers persist there. 5) For work accounts, tell IT immediately so they can revoke tokens centrally. 6) Report the phishing site to GACS so the next victim is warned.

FAQ

How does an MFA interception attack actually work, step by step?

1) Phishing lure — an email, text, or search ad sends you to a fake login page that is really a reverse proxy (Evilginx, Modlishka, EvilProxy). 2) You enter your username and password on what looks like the real site (Microsoft, Google, IRS, your bank). The proxy instantly forwards them to the real site. 3) MFA challenge — the real site sends a push, SMS, or TOTP prompt to your phone. Because the proxy is relaying everything, the prompt looks normal and you approve it. 4) Session token theft — once MFA passes, the real site issues an authenticated session cookie. The proxy captures that cookie before it fully lands in your browser. 5) Account hijack — the attacker pastes the stolen cookie into their own browser and is now logged in as you, without ever needing your password again. The entire chain often completes in under a minute.

Why doesn't push or TOTP MFA stop this?

Push approvals and TOTP codes prove you can complete a challenge — they do not prove which site you completed it on. Because the AiTM proxy is sitting in the middle of a live session with the real service, anything you approve goes to the real service. Only origin-bound factors (passkeys / WebAuthn / hardware security keys) refuse to sign for the wrong domain.

Are passkeys really immune to AiTM phishing?

Yes, by design. A passkey signs a challenge that includes the relying party's origin. If the page is hosted on a phishing domain, the origin doesn't match the registered credential, and the browser/authenticator refuses to produce a valid signature. The attacker gets nothing usable. Edge cases exist (cross-device flows, downgrade to a weaker factor), so keep passkeys as the only enabled factor where possible.

What does an AiTM phishing site look like in practice?

Pixel-perfect copies of Microsoft 365, Google, Okta, exchange logins, and government portals (passport renewal, tax accounts, benefits). The domain is usually a fresh registration (under 30 days), uses a free SSL certificate, and may sit on a typosquat (rnicrosoft.com), a homoglyph (microsоft.com with Cyrillic 'о'), or a long deceptive subdomain (login.microsoft.security-verify.com). Run the URL through the GACS website checker before you type anything.

I approved the MFA prompt on a fake site. What do I do right now?

Assume the session is stolen. From a different device: sign out all sessions, reset the password, remove any unknown MFA methods, check email forwarding rules and OAuth app grants, and rotate recovery email and phone. For work accounts, tell IT — they can revoke tokens centrally so a stolen cookie stops working. Then report the phishing site at /report so other people don't fall for the same kit.

Is this what's behind the fake government and passport-renewal scams?

Often, yes. The same AiTM kits are repurposed for government impersonation: a Google ad for 'passport renewal' or 'tax refund status' points to a proxy of the real .gov portal. You log in, complete identity verification (sometimes including ID upload and MFA), and the attacker walks away with your session plus your identity documents. The defense is the same: navigate directly to the official .gov site, and use passkeys where the agency supports them.

Report a scam in 30 seconds.

Add it to the public scam database — protect the next person.

Report a scam

See every channel: How to report a scam — full hub →

Cite this page / Press kit

Journalists, researchers and educators are welcome to cite this page. Use the permalink below or copy a ready-made citation.

Permalinkhttps://gacs.app/mfa-interception-attacks
APA

GACS. (2026). MFA Interception Attacks Explained (AiTM, 2026). GACS — Global Anti-Crime & Safety. Retrieved June 25, 2026, from https://gacs.app/mfa-interception-attacks

MLA

"MFA Interception Attacks Explained (AiTM, 2026)." GACS — Global Anti-Crime & Safety, GACS, 2026, https://gacs.app/mfa-interception-attacks. Accessed June 25, 2026.

Chicago

GACS. "MFA Interception Attacks Explained (AiTM, 2026)." GACS — Global Anti-Crime & Safety. Accessed June 25, 2026. https://gacs.app/mfa-interception-attacks.

BibTeX
@misc{gacs_mfa_interception_attacks,
  author = {GACS},
  title = {MFA Interception Attacks Explained (AiTM, 2026)},
  howpublished = {GACS — Global Anti-Crime & Safety},
  year = {2026},
  note = {Accessed: June 25, 2026},
  url = {https://gacs.app/mfa-interception-attacks}
}

Press / media enquiries: About GACS · Editorial policy · Methodology