• Home
  • /
  • TechForum
  • /
  • Unmasking AiTM: The resurgence of adversary in the middle attacks in cyber security

Unmasking AiTM: The resurgence of adversary in the middle attacks in cyber security

By Divan de Nysschen, Cybersecurity Architect, NEC XON.

Johannesburg, 01 Feb 2024
Divan de Nysschen, Cybersecurity Architect, NEC XON.
Divan de Nysschen, Cybersecurity Architect, NEC XON.

In the dynamic realm of cyber security, threats often disappear temporarily, only to evolve and reappear in more sophisticated forms. One such resurgence is the adversary in the middle (AiTM) attack, a potent phishing tactic that poses a significant risk to the security of SaaS applications. How should organisations prepare themselves to counter this formidable threat?

AiTM evolution

While AiTM is not a novel concept, it has undergone a metamorphosis, transforming the tools employed into a potent weapon in the arsenal of cyber adversaries. Initially witnessed in 2017, AiTM are particularly adept at pilfering session tokens – the danger being in AiTM’s resulting ability to circumvent multi-factor authentication (MFA), rendering trusted security measures inadequate. The AiTM attack intercepts authentication between users and a legitimate authentication service to compromise identities, steal credentials and intercept MFA, capturing the session cookie. This stolen session cookie allows attackers to impersonate the user without further intervention, gaining unauthorised access and potentially leading to business e-mail compromise (BEC) attacks.

Modern cyber adversaries use phishing and spear-phishing campaigns to redirect users to fake login pages. Once users enter legitimate credentials and complete the MFA prompt, the attackers save the credentials and session token. The end-user is then redirected to the legitimate login page, automatically logged in without suspecting anything. Tools like Evilginx and new tactics like "EvilQR" (QR code-based attacks) further complicate detection, as entire e-mails with QR codes are inserted as images, making it challenging for e-mail security solutions to identify the threat.

Bolstering cyber security measures is no longer an option but a necessity

Recognising the gravity of AiTM attacks, NEC XON implements pivotal security measures to protect against potential breaches. In the face of emerging tactics, techniques and procedures (TTPs), NEC XON emphasises the need for a proactive approach from managed security service providers (MSSPs) and cyber security professionals worldwide.

As our customers navigate this new era of cyber threats, the call to action is clear – bolstering cyber security measures is no longer an option but a necessity. The time to reinforce defences and stay ahead of evolving threats is now. The era of AiTM demands a united front from the global cyber security community to ensure a secure digital future. Stay vigilant, stay secure.



NEC XON is a leading African integrator of ICT solutions and part of NEC, a Japanese global company. NEC XON has operated in Africa since 1963 and delivers communications, energy, safety, security, and digital solutions. It co-creates social value through innovation to help overcome serious societal challenges. The organisation operates in 54 African countries and has a footprint in 16 of them. Regional headquarters are located in South, East, and West Africa. NEC XON is a level 1-certified broad-based black economic empowerment (B-BBEE) business. Discover more at

Editorial contacts

Michelle Oelschig
Scarlet Letter
(083) 636 1766