DefendDomain

How Attackers Hijack Sessions After MFA

MFA secures the login. AiTM (Adversary-in-the-Middle) proxies target what happens after — intercepting the authenticated session token before it reaches your user. No second factor is needed for replay.

The Misconception

“We enforce MFA on everything, so even compromised credentials are useless to an attacker.”

147%
Increase in AiTM session hijacking attacks in 2024 (Microsoft)
60sec
Time for a proxy to intercept a valid session token after MFA completes
292 days
Average lifecycle of credential-based breaches (IBM 2024)
Zero
MFA prompts triggered when a stolen session cookie is replayed

Anatomy of the Blind Spot

What MFA Protects Against — and Where It Stops

MFA adds a second factor at the point of login. That's essential for stopping credential reuse. But the authenticated session that follows — represented by a token or cookie — has no MFA protection at all.

What MFA Does Well

  • Blocks credential stuffing and brute-force attacks
  • Prevents replay of stolen username/password pairs
  • Adds a second factor that must be satisfied
  • Significantly raises the bar for basic account takeover

Where MFA Stops

  • Cannot protect the session token issued after successful authentication
  • AiTM proxies intercept cookies post-login — MFA already completed
  • Stolen session tokens are replayed without triggering any MFA prompt
  • Toolkits like EvilGinx2 and EvilProxy automate session interception at scale
  • No visibility into whether a session originated through a proxy

MFA is necessary but insufficient. It protects the authentication step while leaving the session layer — the token that represents the authenticated identity — completely unprotected from interception.

Diagram showing how an Adversary-in-the-Middle proxy intercepts credentials and session tokens between the user and the legitimate server

AiTM proxies relay the full login flow transparently — the session token is intercepted after MFA succeeds.

The Attacker's Playbook

How AiTM Proxies Intercept Authenticated Sessions

A reverse proxy sits between the user and the real server, transparently relaying the entire login flow. MFA completes successfully — then the session token is captured.

1

Deploy a Proxy on a Lookalike Domain

The attacker registers a convincing domain and deploys AiTM tooling (e.g., EvilGinx2, EvilProxy). This creates a transparent reverse proxy between the victim and your real login page.

2

Direct the Victim to the Proxy

A link via email, SMS, search ad, or social media sends the user to the lookalike domain. The page looks identical to your real login — because it IS your real login, proxied through the attacker's infrastructure.

3

Authentication Completes Normally

The victim enters credentials and completes MFA as usual. Every input is relayed to your real server through the proxy. From the server's perspective, this is a normal, successful login.

4

Session Token Intercepted

After MFA succeeds, your server issues a session cookie. The proxy captures this token before passing it to the victim. The user is now logged in — and so is the attacker.

5

Session Replayed Without MFA

The attacker imports the stolen session cookie into their own browser. Full account access — no credentials, no MFA prompt, no anomaly. The session was legitimately authenticated.

Real-World Impact

What Happens After a Session Is Hijacked

A stolen session cookie grants the same access as the legitimate user. No alerts trigger, no failed logins are logged, and MFA is never challenged again.

$2.77B
BEC losses in 2024 — AiTM is a key enabler of BEC at scale (FBI IC3)
292 days
Average lifecycle of credential-based breaches — the longest of any vector (IBM 2024)
10 days
Median attacker dwell time before detection globally (Mandiant M-Trends 2024)
Zero
MFA prompts triggered during session cookie replay

Silent Account Takeover

The attacker has a valid session — no alerts trigger, no failed login attempts logged, no MFA challenges. Traditional detection mechanisms are blind because the session was legitimately authenticated.

Lateral Movement

Once inside with a valid session, attackers can access connected services, read emails, modify settings, and initiate BEC attacks — all appearing as the legitimate user.

Data Exfiltration

With full session access, sensitive data including emails, documents, and financial records can be exfiltrated before the session expires or the breach is detected.

False Confidence

The presence of MFA creates a false sense of security. IR teams may dismiss the possibility of session hijacking because "MFA was in place," delaying investigation.

The Missing Layer

How DefendDomain Detects AiTM Infrastructure

AiTM attacks depend on external infrastructure — lookalike domains, proxy servers, and rogue SSL certificates. DefendDomain catches this infrastructure during setup, before any session is hijacked.

Layer 1

Domain Monitoring

Detects the lookalike domains that AiTM proxies require. Every AiTM attack needs a convincing URL — DefendDomain catches these registrations and flags domains configured for proxying.

Layer 4

Certificate Monitoring

AiTM proxies need valid SSL certificates to appear legitimate. Layer 4 monitors Certificate Transparency logs in real time, detecting certificates issued for brand-impersonating domains within minutes.

Layer 2

Security Embeds

When your login page is proxied through an AiTM toolkit, embedded markers detect the unauthorised relay instantly — alerting you that your authentication flow is being intercepted.

Explore the Full Platform

MFA vs DefendDomain

They're not competitors — they address fundamentally different layers of the attack chain. Here's how they compare.

Capability
MFA
DefendDomain
Protects againstCredential reuse & brute forceInfrastructure-level threats
AiTM proxy attacksVulnerable (session captured)Detected (proxy domain + cert flagged)
Session cookie theftNo protection after authPrevents by catching proxies pre-auth
Detection timingAfter failed login (if at all)During attacker infrastructure setup
Lookalike domain awarenessNoneContinuous monitoring
Certificate monitoringNot applicableReal-time CT log monitoring
Channel coverageLogin flow onlyAll external attack surfaces

Bottom line: MFA secures the authentication step. DefendDomain secures the infrastructure layer — catching the proxy domains, rogue certificates, and AiTM toolkits that enable session hijacking before any token is intercepted.

Related Security Blind Spots

MFA bypass is one piece of the puzzle. Explore how other common security controls leave similar gaps.

DMARC Limitations

DMARC secures your domain — but AiTM attacks come from attacker-owned domains it can't see.

The HTTPS Phishing Illusion

AiTM proxies run valid SSL certificates. The padlock means nothing.

Threat Intel Feed Latency

By the time feeds report AiTM campaigns, sessions have already been hijacked.

Frequently Asked Questions

Common questions about MFA limitations and AiTM attack detection.

See the Proxy Domains Targeting Your Brand

Request a free assessment and see whether AiTM infrastructure is already targeting your login pages.

Discover lookalike domains configured for proxying
See certificates issued for impersonating domains
Understand your exposure to AiTM session hijacking
No obligation — just clarity on your real risk
DefendDomain team member

Speak with our team

We'll walk you through the platform and show you exactly what AiTM infrastructure is targeting your authentication flows.

Request Your Free Assessment

Real threats targeting your domainExpert consultation, not a sales pitchNo obligation

Book a demo