Adversary in the Middle Attacks steal authenticated sessions
AiTM phishing proxies sit between users and real login pages, capturing session tokens after MFA completes. The attack happens entirely in the browser.
AiTM phishing proxies sit between users and real login pages, capturing session tokens after MFA completes. The attack happens entirely in the browser.
AiTM is the dominant phishing technique in the wild today. Instead of sending victims to a fake login page, attackers use a reverse proxy to relay the login to the real site in real time.
These attacks are typically delivered through Phishing-as-a-Service kits and no longer rely on email alone. Lures appear in LinkedIn messages, paid search results, and compromised websites. In 2025, one in three payloads Push detected originated outside the inbox.
AiTM kits are designed to avoid detection. Many only activate when triggered by the attacker, so sandbox analysis often has nothing to inspect. Domains rotate constantly, and each campaign uses fresh infrastructure that hasn’t been seen before. In 2025, 95% of in-browser attacks detected by Push used bot protection services to actively block web scanning tools.
Even when the attack succeeds, most systems still don’t see it. The session token is issued inside the browser during a legitimate login flow. EDR sees a process. The network sees traffic. Neither sees what's happening inside the page.
Push operates inside the browser, where AiTM attacks actually play out. It detects and blocks malicious pages in real time, regardless of how they are delivered. Whether the lure comes through email, messaging platforms, or search results, the detection point remains the same.
Push also tracks the integrity of authenticated sessions. Every session created in a protected browser is tagged. If that session is reused from a different browser or environment, Push detects the mismatch and alerts immediately. This is the exact behavior AiTM attacks depend on, surfaced at the moment it occurs.
