Microsoft observed a 146% increase in AiTM phishing attacks during 2024, with the trend accelerating in 2025. Cisco Talos found that half of their 2024 incident responses involved MFA bypass attacks. Proofpoint reported that in 2025, 99% of organizations experienced account takeover attempts, 67% experienced a successful takeover, and 59% of taken-over accounts had MFA enabled. The Evilginx open-source framework has been adopted by both cybercriminal operators like Storm-0485 and nation-state actors like Russia's Star Blizzard. Phishing-as-a-Service platforms sell AiTM capabilities starting at $120 for 10 days, making sophisticated MFA bypass available to attackers with no technical expertise. T1557 now has four sub-techniques: LLMNR/NBT-NS Poisoning and SMB Relay, ARP Cache Poisoning, DHCP Spoofing, and Evil Twin Wi-Fi attacks.
T1557 sits at the intersection of two tactics: Credential Access (TA0006) and Collection (TA0009). The technique covers any method by which adversaries position themselves between communicating parties to intercept, capture, or manipulate data in transit. This ranges from classic network-layer attacks (ARP poisoning, LLMNR poisoning, DHCP spoofing) to application-layer attacks (reverse proxy phishing that intercepts authenticated sessions) to physical-layer attacks (rogue Wi-Fi access points). What unifies them is the adversary's position: they sit between two endpoints that both believe they are communicating directly with each other.
The technique spans Linux, Windows, macOS, and Network Devices. In practice, the two dominant threat vectors in enterprise environments are LLMNR/NBT-NS poisoning within Active Directory networks (T1557.001) and AiTM reverse-proxy phishing against cloud identity providers (which is covered under the parent technique T1557 and related techniques like Steal Web Session Cookie). The four sub-techniques cover the primary network-layer and physical-layer methods.
The Four Sub-Techniques
T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay
When a Windows system cannot resolve a hostname through DNS, it falls back to Link-Local Multicast Name Resolution (LLMNR, UDP 5355) and NetBIOS Name Service (NBT-NS, UDP 137), broadcasting the query to all devices on the local network segment. Neither protocol requires authentication. An adversary running a tool like Responder listens for these broadcasts and responds with their own IP address, claiming to be the requested host. The victim's system then attempts to authenticate to the adversary-controlled system, sending NTLMv2 hashes in the process.
The adversary can then either crack the captured NTLMv2 hashes offline using tools like Hashcat or John the Ripper, or relay the hashes in real time to another system where the victim has privileges (an SMB relay attack). In a relay scenario, the adversary uses tools like Impacket's ntlmrelayx to forward the authentication request to a different target server, gaining access with the victim's credentials without ever needing to crack the password. The relay can target SMB, LDAP, MSSQL, HTTP, and other NTLM-capable protocols. If the victim has administrative privileges on the relay target, the adversary achieves code execution. This attack requires SMB signing to be disabled or not enforced on the target — a common misconfiguration in many enterprise environments.
T1557.002 — ARP Cache Poisoning
The Address Resolution Protocol (ARP) translates IP addresses to MAC addresses on local network segments, and it does so without authentication. An adversary can send gratuitous ARP replies that associate their MAC address with another host's IP address, poisoning the ARP cache of other devices on the network. Once the ARP cache is poisoned, traffic intended for the legitimate host is instead sent to the adversary, who can inspect, modify, or relay it. ARP cache poisoning has been used by threat actors including Operation Cleaver (Iranian state-sponsored activity) and LuminousMoth (China-linked espionage). The technique is primarily useful for intercepting unencrypted traffic on local network segments, though it can also be combined with SSL stripping or certificate spoofing to intercept encrypted communications.
T1557.003 — DHCP Spoofing
Adversaries set up a rogue DHCP server on the victim's network to provide malicious network configurations to clients. When a client requests an IP address via DHCP, the rogue server responds before the legitimate DHCP server, providing the client with adversary-controlled DNS servers, default gateways, or other network settings. With adversary-controlled DNS, all name resolution can be redirected to attacker infrastructure, enabling credential interception, traffic monitoring, and redirection to malicious sites. The Ttint IoT RAT and the Tidserv trojan have both used DHCP manipulation to redirect victim traffic. Adversaries can also use DHCP spoofing for denial-of-service by exhausting the DHCP address pool through a flood of DISCOVER messages.
T1557.004 — Evil Twin
Adversaries deploy rogue Wi-Fi access points that mimic legitimate networks, deceiving users into connecting to adversary-controlled infrastructure. The Evil Twin access point uses the same SSID as a trusted network — or responds to probe requests from devices searching for previously connected networks from their Preferred Network List (PNL). Once connected, the adversary can monitor all network traffic, redirect users to fake login pages or captive portals to harvest credentials, and manipulate data in transit. Wi-Fi Pineapple devices automate Evil Twin attacks, and locations with high-density public Wi-Fi (airports, coffee shops, conference centers) are particularly attractive targets. An Australian man was charged in July 2024 for conducting Evil Twin attacks on domestic flights, creating fake airline Wi-Fi networks to harvest passengers' credentials. This sub-technique was added to MITRE ATT&CK in September 2024.
AiTM Phishing: The MFA Bypass Revolution
While the four sub-techniques cover network-layer and physical-layer AiTM attacks, the most consequential evolution of T1557 in 2024-2025 has been the explosion of application-layer AiTM phishing. These attacks use reverse proxy servers positioned between the victim's browser and a legitimate authentication service (typically Microsoft 365, Google Workspace, or Okta) to intercept not just credentials but the authenticated session cookies that are issued after MFA is completed. This makes MFA protections irrelevant — the adversary captures the proof of successful authentication and replays it to gain access.
How AiTM reverse-proxy phishing works. The adversary deploys a reverse proxy server (using a framework like Evilginx, EvilProxy, or Tycoon 2FA) on a domain that visually resembles the target service. The victim receives a phishing email with a link to this proxy domain. When they click, the proxy serves the legitimate login page — it is not a static clone but actual content from the real service, relayed through the proxy. The victim enters their username, password, and MFA token (push notification, TOTP code, or phone verification). The proxy relays all of this to the legitimate service in real time. The legitimate service authenticates the user and returns a session cookie. The proxy captures this session cookie and forwards it to the adversary, who can now use it to access the victim's account as an authenticated user, completely bypassing MFA.
The PhaaS ecosystem. AiTM phishing has been industrialized through Phishing-as-a-Service platforms that sell subscription access to ready-made AiTM infrastructure. Sekoia's analysis identified eleven major AiTM phishing kits active between January and April 2025. Tycoon 2FA was the most widespread, followed by Storm-1167, NakedPages, Sneaky 2FA, EvilProxy, and Evilginx. These platforms provide pre-built phishing page templates, administration panels for tracking campaigns, anti-detection features (CAPTCHAs, bot blocking, IP filtering, JavaScript obfuscation), and integration with hosting services — all for subscription fees starting at $100-$1,000 per month. Europol coordinated the takedown of Tycoon 2FA in March 2026, but the broader PhaaS ecosystem remains active.
Nation-state adoption. AiTM phishing has crossed from purely criminal activity into nation-state operations. Microsoft documented Star Blizzard (Russian FSB-linked) using Evilginx in highly personalized spear-phishing campaigns targeting government, NGO, and academic targets. Storm-0485, a prolific phishing operator, has used Evilginx with payment remittance, shared document, and fake LinkedIn verification lures. Chinese and Russian espionage groups have adopted AiTM techniques for intelligence-gathering operations, leveraging the same PhaaS infrastructure that cybercriminals use for financial fraud.
Why AiTM Matters
MFA is no longer sufficient alone. Organizations have spent years deploying MFA as a primary defense against credential theft. AiTM phishing fundamentally undermines this investment by stealing the authenticated session rather than the credential. Proofpoint reported that 59% of successfully compromised accounts in 2025 had MFA enabled. Obsidian Security found that 84% of compromised accounts they observed had MFA in place. The lesson is not that MFA is useless — it still blocks the vast majority of credential-stuffing and password-spray attacks — but that MFA alone is insufficient against targeted AiTM campaigns.
Scale and accessibility. PhaaS platforms have eliminated the technical barriers to AiTM attacks. An adversary who cannot write code can rent AiTM infrastructure, select a phishing template, and begin harvesting authenticated sessions within hours. Barracuda detected over one million PhaaS attacks in January and February 2025 alone. Tycoon 2FA was linked to more than 30 million phishing emails in a single month by mid-2025. The PhaaS model provides customer support, regular updates, and community forums — mirroring legitimate SaaS business models.
LLMNR poisoning remains endemic in enterprise networks. Despite being a well-known attack vector for over a decade, LLMNR and NBT-NS poisoning remain among the most commonly successful techniques in penetration tests. Many organizations have not disabled these legacy name resolution protocols, and SMB signing is frequently not enforced. The attack requires only local network access (achievable through physical access, compromised VPN credentials, or an initial foothold on any domain-joined system) and yields domain credentials that can be cracked offline or relayed for immediate code execution.
Post-compromise escalation is rapid. Once an adversary captures an authenticated session through AiTM phishing, they typically register additional MFA devices on the compromised account (to maintain persistence), search the victim's email for sensitive data, launch business email compromise (BEC) attacks from the compromised account, and pivot laterally through connected SaaS environments. The entire chain from initial phishing email to BEC fraud can complete in minutes, with near-zero dwell time.
Real-World Case Studies
Tycoon 2FA / Europol Takedown — The Largest AiTM PhaaS Operation (2023-2026)
Tycoon 2FA emerged in August 2023 as a PhaaS platform selling AiTM capabilities via Telegram and Signal for as little as $120 for 10 days. The platform's primary developer was allegedly based in Pakistan. By mid-2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft, including more than 30 million emails in a single month. The service was linked to an estimated 96,000 distinct phishing victims worldwide, including over 55,000 Microsoft customers. Victim concentration was highest in the United States (179,264 identified victims), followed by the UK (16,901), Canada (15,272), India (7,832), and France (6,823). The overwhelming majority of targeted accounts were enterprise-managed, confirming that Tycoon 2FA was primarily directed at business environments. The platform evolved continuously, adding advanced anti-detection features including Cloudflare Turnstile CAPTCHAs, JavaScript obfuscation, bot fingerprinting, and WebSocket-based data exfiltration. Europol's European Cybercrime Centre coordinated the takedown in March 2026, with intelligence shared by Trend Micro, Microsoft, and The Shadowserver Foundation.
Star Blizzard / Evilginx — Russian FSB Espionage via AiTM Phishing
Star Blizzard, linked to Russia's FSB, shifted from primarily using weaponized document attachments to spear-phishing with malicious links leading to AiTM pages powered by the Evilginx framework. The group sends highly personalized emails impersonating known political and diplomatic figures to targets in government, NGO, and academic sectors. When a target clicks the link and authenticates through the Evilginx reverse proxy, the group captures both credentials and session cookies, gaining persistent access to the victim's accounts even with MFA enforced. The UK National Cyber Security Centre (NCSC) publicly attributed Evilginx usage to Star Blizzard. Microsoft documented the group's evolution toward AiTM techniques as part of a broader trend of nation-state actors adopting PhaaS-level tooling for intelligence operations.
Evilginx Campaign Against 18 US Universities (April-November 2025)
Researchers documented an Evilginx 3.0 campaign targeting at least 18 US higher education institutions from April through November 2025. Attackers sent personalized emails with TinyURL-shortened links that redirected to realistic single sign-on phishing pages mimicking university login portals. When users authenticated, Evilginx intercepted the login process, stealing both credentials and the session cookie issued after MFA completion. The University of San Diego was the first recorded victim on April 12, 2025. Other heavily targeted institutions included UC Santa Cruz, UC Santa Barbara, Virginia Commonwealth University, and the University of Michigan. The attackers used default Evilginx URL paths (8 random alphanumeric characters), cycled links every 24 hours, and used Cloudflare to mask server locations. Infoblox identified nearly 70 domains associated with the campaign through DNS pattern analysis.
LLMNR Poisoning / Responder — Persistent Active Directory Threat
LLMNR/NBT-NS poisoning with Responder remains one of the most commonly exploited techniques in Active Directory environments. The attack exploits Windows' fallback name resolution behavior: when DNS fails, systems broadcast queries via LLMNR and NBT-NS, and any device on the local network can respond. Responder automates the entire process — listening for broadcast queries, responding with the attacker's IP, capturing NTLMv2 hashes, and optionally integrating with ntlmrelayx for relay attacks. In penetration tests, LLMNR poisoning frequently succeeds because organizations have not disabled these legacy protocols, SMB signing is not enforced, and users regularly mistype share paths (triggering fallback name resolution). A single successful LLMNR poisoning event can yield domain administrator credentials if the mistyping user has elevated privileges. The CVE-2025-24071/CVE-2025-24054 vulnerabilities in Windows Explorer demonstrated that NTLM hash leaks continue to emerge through new vectors, with extracted .library-ms files capable of silently sending NTLM hashes to attacker-controlled servers.
ArcaneDoor — Cisco Firewall AiTM (2024)
Cisco Talos documented the ArcaneDoor campaign in April 2024, where a state-sponsored threat actor exploited zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) to position themselves as an adversary-in-the-middle on network perimeter devices. By compromising the firewall itself, the adversary could intercept and manipulate traffic passing through the device, capture credentials, and maintain persistent access to the victim's network. This campaign demonstrates that AiTM attacks are not limited to phishing — adversaries who compromise network infrastructure devices achieve an inherent AiTM position that enables comprehensive traffic interception.
Detection Strategies
AiTM attacks require different detection approaches depending on whether they target the network layer (LLMNR poisoning, ARP spoofing, DHCP spoofing) or the application layer (AiTM phishing). Network-layer AiTM can be detected through protocol monitoring and anomaly detection. Application-layer AiTM phishing requires identity-layer detection focused on authentication anomalies.
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| Network Traffic (UDP) | LLMNR/NBT-NS responses | Monitor for LLMNR (UDP 5355) and NBT-NS (UDP 137) response traffic from systems that are not configured DNS servers. Flag any device responding to name resolution broadcasts that is not a domain controller or authorized DNS server |
| Network Traffic (ARP) | ARP anomalies | Alert on duplicate IP-to-MAC mappings, gratuitous ARP replies from non-gateway devices, and rapid ARP table changes. Dynamic ARP Inspection (DAI) can validate ARP packets against DHCP snooping bindings |
| Network Traffic (DHCP) | Rogue DHCP servers | Enable DHCP snooping on switches to restrict DHCP server responses to trusted ports. Alert on DHCP OFFER messages from IP addresses that are not authorized DHCP servers |
| Microsoft Entra ID Logs | AiTM phishing indicators | Monitor for authentication anomalies: sign-ins from newly registered domains, User-Agent inconsistencies between the authentication request and subsequent session activity, impossible travel patterns, and new MFA device registrations within minutes of a sign-in |
| Wi-Fi Monitoring | Rogue access points | Deploy wireless intrusion detection systems (WIDS) to detect access points broadcasting SSIDs that match your corporate network from unauthorized locations or MAC addresses. Alert on duplicate SSIDs with different BSSIDs |
| Windows Event Logs | NTLM relay indicators | Monitor Event IDs 4697 and 7045 (new service installations following relay attacks), 4624 Type 3 logons from unexpected source IPs, and authentication attempts to SMB/LDAP from systems that should not be authenticating |
| TLS Metadata | Evilginx fingerprints | Default Evilginx deployments use LetsEncrypt certificates with Organization "Evilginx Signature Trust Co." and generate URLs with 8 mixed-case letter paths. Monitor for these signatures, though sophisticated operators customize them |
Splunk Detection Queries
Query 1: LLMNR/NBT-NS Poisoning Activity
Detects non-DNS systems responding to name resolution queries, indicating potential Responder-style poisoning.
index=network sourcetype=firewall OR sourcetype=ids
(dest_port=5355 OR dest_port=137)
| where NOT cidrmatch("10.0.0.1/32", src_ip)
AND NOT cidrmatch("10.0.0.2/32", src_ip)
| stats count dc(dest_ip) as targets values(dest_ip) as target_ips
by src_ip
| where count > 5 AND targets > 3
| table src_ip count targets target_ips
| sort -countQuery 2: Suspicious MFA Device Registration After Sign-In
Detects a common AiTM post-compromise pattern: adversaries adding new MFA methods to maintain access after session hijacking.
index=azure sourcetype="azure:aad:audit"
operationName="User registered security info"
| join type=inner userPrincipalName
[ search index=azure sourcetype="azure:aad:signin"
riskLevel IN (high, medium)
| eval signin_time=_time
| fields userPrincipalName signin_time ipAddress ]
| eval time_diff=_time - signin_time
| where time_diff > 0 AND time_diff < 3600
| table _time userPrincipalName ipAddress operationName time_diffQuery 3: NTLM Relay Indicators — Service Installation After Network Logon
Detects service installations that occur shortly after Type 3 (network) logons from unusual sources, a pattern consistent with NTLM relay attacks.
index=windows EventCode=7045
| join host type=inner
[ search index=windows EventCode=4624 Logon_Type=3
| where NOT cidrmatch("10.0.0.0/8", Source_Network_Address)
| eval logon_time=_time
| fields host Source_Network_Address logon_time Account_Name ]
| eval time_diff=_time - logon_time
| where time_diff > 0 AND time_diff < 300
| table _time host Account_Name Source_Network_Address Service_Name
Service_File_Name time_diffQuery 4: Rogue DHCP Server Detection
Identifies DHCP OFFER messages originating from IP addresses that are not authorized DHCP servers.
index=network sourcetype=dhcp OR sourcetype=firewall
message_type="DHCPOFFER" OR message_type="OFFER"
| where NOT src_ip IN ("10.0.0.10", "10.0.0.11")
| stats count first(_time) as first_seen last(_time) as last_seen
values(dest_ip) as offered_to by src_ip
| table src_ip count first_seen last_seen offered_to
| sort -countKnown Threat Actors and Tools
AiTM Phishing Platforms
| Platform / Tool | Type | Details |
|---|---|---|
| Tycoon 2FA | PhaaS (takedown March 2026) | 62% of all phishing blocked by Microsoft at peak; 96,000 victims; synchronous relay method with CAPTCHAs, WebSocket exfiltration, and extensive anti-detection |
| EvilProxy | PhaaS (active) | 8% of PhaaS attacks early 2025; reverse proxy method; targets Microsoft 365, Google, and other cloud platforms; 220-280 active servers |
| Sneaky 2FA | PhaaS (active) | 3% of PhaaS attacks early 2025; Telegram-based bot; targets Microsoft 365; checks visitor IP against datacenter/bot/VPN lists |
| Evilginx | Open-source framework | Used by Storm-0485, Star Blizzard (Russia/FSB), and in the 18-university campaign (2025); phishlet-based modular design; supports wildcard TLS, JS obfuscation, bot blocking |
| NakedPages | PhaaS (active) | Reverse proxy method; 220-280 active servers; decentralized affiliate infrastructure with 150-250 estimated customers |
| Mamba 2FA / Saiga 2FA | PhaaS (emerging) | Emerged late 2024; synchronous relay method; rapidly adopted by threat actors in 2025 |
Network-Layer Tools
| Tool | T1557 Usage |
|---|---|
| Responder | LLMNR/NBT-NS/MDNS poisoner with built-in rogue SMB/HTTP/MSSQL/FTP/LDAP servers; captures NTLMv1/v2 hashes; the standard tool for T1557.001 |
| Inveigh | PowerShell-based LLMNR/NBT-NS poisoner for Windows environments; alternative to Responder where Python-based tools are restricted |
| Impacket (ntlmrelayx) | NTLM relay framework that relays captured hashes to SMB, LDAP, MSSQL, HTTP, and ADCS targets; enables code execution and privilege escalation |
| Bettercap | Network attack framework with ARP spoofing, DNS spoofing, DHCP spoofing, and SSL stripping modules |
| Wi-Fi Pineapple | Hardware device for Evil Twin attacks; automates rogue AP deployment with PNL probing and captive portal credential harvesting |
| NPPSPY | Custom password filter DLL that captures cleartext passwords during authentication by hooking the Network Provider interface |
Threat Actor Usage
| Actor | Attribution | T1557 Usage |
|---|---|---|
| Star Blizzard | Russia (FSB) | Evilginx-powered AiTM spear-phishing against government, NGO, academic targets with highly personalized impersonation lures |
| Storm-0485 | Cybercriminal | Prolific Evilginx operator using payment remittance, shared document, and fake LinkedIn verification lures |
| Operation Cleaver | Iran | ARP cache poisoning for credential interception in targeted environments |
| LuminousMoth | China | ARP poisoning with PlugX deployment for lateral movement and data exfiltration |
| Sea Turtle | Turkey-linked | DNS hijacking enabling AiTM credential interception for government and telecom targets |
| ArcaneDoor (UAT4356) | State-sponsored | Zero-day exploitation of Cisco ASA firewalls to achieve AiTM position on network perimeter devices (2024) |
Defensive Recommendations
1. Deploy phishing-resistant MFA (FIDO2/WebAuthn/Passkeys)
FIDO2 and WebAuthn use asymmetric public key cryptography bound to specific domains. The private key never leaves the user's device, and the authentication process only works on the legitimate domain — making it cryptographically impossible for AiTM phishing proxies to replay authentication. This is the single most effective defense against AiTM phishing attacks. Organizations should prioritize migration from TOTP, push notification, and SMS-based MFA to FIDO2 security keys or platform passkeys for all high-value accounts. Note that researchers have demonstrated QR-code-based attacks that can potentially circumvent even FIDO passkey protections, so defense-in-depth remains essential.
2. Disable LLMNR and NBT-NS
Disable LLMNR via Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client > "Turn OFF Multicast Name Resolution." Disable NBT-NS on each network adapter's TCP/IP properties or via DHCP option 001. These legacy protocols serve no purpose in environments with properly configured DNS, and disabling them eliminates the T1557.001 attack surface entirely. Test thoroughly before deployment, as some legacy applications may depend on these protocols.
3. Enforce SMB signing
SMB signing digitally signs data transferred over SMB, preventing NTLM relay attacks that exploit unsigned SMB sessions. Enable via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Microsoft network server: Digitally sign communications (always)." Apply to both client and server components. While SMB signing can introduce a small performance impact, it is essential for preventing the relay component of T1557.001 attacks.
4. Implement risk-based Conditional Access policies
Microsoft Entra ID Protection (and equivalent features in other identity providers) offers risk-based Conditional Access policies that evaluate sign-in requests using additional signals: IP reputation, device compliance status, geographic location, and real-time risk scoring. These policies can require step-up authentication, block high-risk sign-ins, or require compliant devices for access. Since AiTM phishing often originates from data centers, VPNs, or geographically anomalous locations, risk-based policies provide a critical detection layer even when the session cookie itself is valid.
5. Enable DHCP snooping and Dynamic ARP Inspection
DHCP snooping restricts DHCP server responses to trusted switch ports, preventing rogue DHCP servers from providing malicious network configurations. Dynamic ARP Inspection (DAI) validates ARP packets against DHCP snooping bindings, preventing ARP cache poisoning. Both features should be enabled on managed switches in all enterprise network segments. Together they eliminate the T1557.002 and T1557.003 attack surfaces at the switch level.
6. Deploy wireless intrusion detection and 802.1X
Wireless IDS/IPS systems detect rogue access points broadcasting SSIDs that match your corporate network. 802.1X port-based network access control ensures that only authenticated devices can connect to the network, preventing unauthorized Wi-Fi access points from establishing connectivity. For environments with high Evil Twin risk (conferences, public-facing offices), consider deploying enterprise wireless with WPA3 and client isolation.
7. Monitor for post-AiTM persistence indicators
When AiTM phishing succeeds, adversaries typically register new MFA methods on the compromised account within minutes to maintain access. Monitor authentication logs for new MFA device registrations, OAuth application consent grants, and inbox rule creation that follow sign-ins from unfamiliar locations or devices. Automated response policies that require re-authentication or trigger alerts on these actions provide a critical backstop when initial phishing prevention fails.
8. Audit for NTLM relay vulnerabilities
Regularly audit Active Directory environments for NTLM relay exposure: systems with SMB signing disabled, Active Directory Certificate Services (ADCS) endpoints vulnerable to ESC8 or ESC11 relay attacks, and services accepting NTLM authentication that should require Kerberos. Consider deploying Extended Protection for Authentication (EPA) on all web services and LDAP channel binding to prevent cross-protocol NTLM relay attacks.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1557 |
| Technique Name | Adversary-in-the-Middle |
| Tactics | Credential Access (TA0006), Collection (TA0009) |
| Platforms | Windows, Linux, macOS, Network Devices |
| Sub-Techniques | T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay, T1557.002 ARP Cache Poisoning, T1557.003 DHCP Spoofing, T1557.004 Evil Twin |
| Data Sources | Application Log, Network Traffic (Flow, Content), Service (Creation), Windows Registry (Key Modification) |
| Mitigations | Disable or Remove Feature (M1042), Encrypt Sensitive Information (M1041), Filter Network Traffic (M1037), Limit Access to Resource Over Network (M1035), Network Intrusion Prevention (M1031), Network Segmentation (M1030) |
| Version | 2.5 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1557 |
Sources and References
- MITRE ATT&CK — T1557 Adversary-in-the-Middle: attack.mitre.org
- Sekoia.io — Global Analysis of Adversary-in-the-Middle Phishing Threats (2025): blog.sekoia.io
- Microsoft — Defending Against Evolving Identity Attack Techniques (May 2025): microsoft.com
- Barracuda — Threat Spotlight: A Million Phishing-as-a-Service Attacks in Two Months (March 2025): blog.barracuda.com
- Cisco Talos — State-of-the-Art Phishing: MFA Bypass (May 2025): blog.talosintelligence.com
- Europol / Shadowserver — Tycoon 2FA Phishing-as-a-Service Disruption (March 2026): shadowserver.org
- The Hacker News — Europol-Led Operation Takes Down Tycoon 2FA (March 2026): thehackernews.com
- Deepwatch — Catching the Phish: Detecting Evilginx and AiTM: deepwatch.com
- Infoblox / SC Media — Phishing Attack Targets 18 US Universities (December 2025): scworld.com
- Cisco Talos — ArcaneDoor: Campaign Targeting Perimeter Network Devices (April 2024): blog.talosintelligence.com