Multi-factor authentication was supposed to close the door that passwords left open. For years, the guidance was simple and largely correct: a stolen password alone should not be enough to log in. Add a second factor, a code or an approval prompt, and an attacker who phishes your credentials still hits a wall.
That logic still holds in theory. The problem is that attackers stopped trying to break the wall. They started walking a person through the door instead.
Why MFA Was Supposed to Help
The premise behind MFA is sound. Requiring something you know (a password) plus something you have (a phone, a token) raises the cost of account takeover. Most automated credential-stuffing attacks do fail against it. This is why MFA adoption is one of the most effective security controls an organization can deploy, and it remains worth enabling everywhere.
But many common MFA methods, push notifications, one-time codes by SMS or authenticator app, were designed to stop credential reuse. They were not designed to stop a live attacker sitting between you and the real login page in real time. That gap is where the modern attack lives.
How AiTM Relays Credentials and Session Cookies
Adversary-in-the-middle (AiTM) phishing does not present a crude fake login form. It runs a reverse proxy. When the victim visits the phishing link, the attacker's server quietly relays the connection to the genuine service. The victim sees the real login page because, functionally, they are looking at it through the attacker's pipe.
So when the victim types their password, it passes through the proxy to the real site. When the real site issues an MFA challenge, the victim sees it and completes it. The second factor is satisfied legitimately. Here is the part that matters: after a successful login, the service issues a session cookie, the token that keeps you logged in so you do not re-authenticate on every click. The proxy captures that cookie.
With the session cookie in hand, the attacker no longer needs the password or the second factor. They import the cookie and resume the victim's authenticated session directly. The cryptography was never broken. The session was simply relayed and stolen after the fact.
How Vishing Supplies the Human Pressure
AiTM needs the victim to engage in the first place, and to do so under conditions that suppress suspicion. This is where voice phishing, or vishing, does its work.
A phone call introduces something a phishing email cannot: live social pressure and authority. A caller posing as IT support, a fraud department, or a manager creates urgency. There is a problem with your account. We need to verify it now. The call narrows the victim's attention and supplies a reason to act quickly. It can walk the target to the link, coach them through the prompt, and, in the most direct version, ask them to read a one-time code aloud or approve the push that just appeared.
The technical relay and the human conversation are synchronized. The attacker triggers the real login while the victim is on the phone, so the prompt the victim approves is the attacker's prompt, arriving exactly when the caller said it would.
The Moment of Compromise
The decisive moment is small and quiet. It is not the malware and not the cracked encryption. It is the instant a person, reassured by a confident voice and a familiar-looking page, approves a prompt or reads six digits aloud. Everything before that builds toward that choice. Everything after it is cleanup. The compromise is a human decision made under manufactured pressure.
The Durable Defense
Because the weakness is the choice, the defense has to protect the choice and, better, remove it from the equation.
The immediate behavioral control is independent callback verification. If someone contacts you and asks you to authenticate, approve, or read a code, stop and verify through a channel you choose, not one they provide. Hang up and call the known number for your IT desk or bank. An attacker controls the conversation only as long as it stays on their line.
The structural fix is phishing-resistant MFA. Passkeys and FIDO2 security keys bind authentication to the legitimate site's real domain. The credential simply will not respond to an attacker's proxy, because the proxy is not the real origin. There is no code to read aloud and no prompt to approve out of context. This removes the human decision the attacker depends on. Where you can deploy it, this is the change that ends the attack class rather than slowing it.
MFA was never the mistake. Treating every form of it as equally resistant to a live human adversary was.
Stay Ahead of the Human Side of Security
For a calm, weekly intelligence briefing on how attackers exploit people and how to defend against it, subscribe free at threatlevelhuman.substack.com. New subscribers also receive our free "Social Engineering Red Flags" field guide, a short reference for spotting these tactics before the moment of compromise.
<- back to the blog