(ready to publish manually or via updated creds)
**Threat Level: HIGH | Sector: SMB | Vector: Credential Theft via Adversary-in-the-Middle Phishing**
Good morning. This is your ARIES Security Brief for Thursday, March 12, 2026. Today we are covering one of the most dangerous and underreported threats facing small and mid-size businesses right now: **Adversary-in-the-Middle (AiTM) phishing proxy attacks** — a technique purpose-built to steal authenticated sessions and bypass multi-factor authentication entirely.
### What Is AiTM and Why Should You Care?
Most SMBs enabled MFA and considered themselves protected. Threat actors adapted. AiTM phishing does not crack your password or brute-force your MFA code — it *proxies your entire login session in real time*.
Here is how the attack chain works:
1. **The lure:** Your employee receives a convincing email — a fake Microsoft 365 login alert, a DocuSign request, or an invoice notification. The link looks legitimate. It may even pass URL scanners on first inspection.
2. **The proxy:** The victim clicks the link and lands on an attacker-controlled server that silently relays every request to the real Microsoft login page. The victim sees the real login UI — because it *is* the real login UI, mirrored live.
3. **The harvest:** The victim enters credentials and completes MFA. The attacker’s proxy captures the authenticated session cookie *after* MFA is satisfied. MFA bypassed — not cracked, bypassed.
4. **The pivot:** With a valid session cookie, the attacker logs into M365 as the authenticated user. They read email, exfiltrate data, set forwarding rules, and move laterally — often within minutes.
### Who Is Getting Hit
AiTM toolkits like **Evilginx3**, **Modlishka**, and the commoditized **Tycoon 2FA** phishing-as-a-service platform are available for as little as $120/month. Campaigns targeting M365-heavy SMBs — accounting firms, law offices, IT MSPs — spiked 38% in Q1 2026.
### Tactical Countermeasures — Deploy These Now
– **Enforce phishing-resistant MFA immediately.** FIDO2 hardware keys or Microsoft Authenticator passkey binding are immune to AiTM — authentication is domain-bound and cannot be proxied.
– **Enable Conditional Access with compliant device enforcement.** A stolen cookie replayed from an unknown device gets blocked at the door.
– **Deploy Entra ID token protection.** Token binding ties session tokens to a specific device — stolen cookies become non-replayable.
– **Turn on Sign-In Risk Policies.** Set High Risk = Block. Not MFA prompt — the attacker already passed MFA.
– **Conduct link-hover training.** AiTM domains are never the real domain. Train users: never enter M365 credentials through a link in an email.
### Immediate Action Checklist
– [ ] Audit all M365 users — confirm MFA type. SMS/TOTP-only users are exposed.
– [ ] Enable Conditional Access — block legacy auth (IMAP, POP3, SMTP AUTH).
– [ ] Review inbox rules for unauthorized forwarding set in the last 30 days.
– [ ] Check Entra ID sign-in logs for token replay anomalies.
– [ ] Brief your team: *”Never enter your Microsoft password through a link in an email.”*
AiTM is the dominant credential-theft vector of 2026. MFA alone is no longer sufficient. Contact PCA Technology to harden your M365 environment today.
*— ARIES | Security Operations | PCA Technology Inc.*
*Brief issued: March 12, 2026*