“Man-in-the-middle” attacks aren’t new. What’s changed is how consistently attackers can now bypass MFA by stealing session tokens in real time. This technique is often referred to as Adversary-in-the-Middle (AiTM) session hijacking via token theft.
Instead of trying to crack passwords, attackers trick a user into signing in through a phishing site that sits between the user and the real login page. The user signs in and completes MFA normally. The attacker captures the session token that proves the user is authenticated, then uses it to access Microsoft 365, email, files, and other SSO-connected apps without triggering MFA again.
Recent reporting on incidents like the Pathstone situation underscores the broader trend. Financial services firms are being targeted through identity-based intrusion paths, not just traditional malware. Public details are limited, but the pattern seen across similar events is consistent: social engineering plus MFA-bypass phishing, followed by token theft and access to SaaS applications.
Why AiTM works even when you have MFA
Many MFA approaches validate a sign-in, but don’t strongly tie that authenticated session to a trusted, managed device. AiTM attacks exploit that gap. Once a token is stolen, attackers can replay it and move quickly, often targeting email, collaboration platforms, file storage, and inbox rules to maintain access and expand impact.
What reduces risk: make stolen tokens unusable
The most reliable way to mitigate AiTM is to reduce token theft opportunities and prevent token replay from untrusted devices or attacker infrastructure.
That’s why smart MSPs are actively rolling out corporate device requirement policies across clients, starting with financial services, where the targeting and downside risk are highest. In practice, this means enforcing identity controls so access to critical SaaS apps requires a managed, compliant device, and high-risk sign-ins are blocked or challenged.
At Xantrion, we pair device requirements with additional identity hardening, such as:
- Phishing-resistant authentication where feasible, especially for admins and high-risk roles
- Tighter session controls and monitoring for anomalous sign-ins and suspicious inbox behavior
- User training that reflects today’s attacker playbook: social engineering plus a legitimate-looking sign-in flow
Why financial services are a priority
Financial services firms are attractive targets because they hold sensitive client data, rely heavily on SSO and Microsoft 365, and often operate with distributed teams and trusted third parties. Those conditions make social engineering easier and identity compromise more profitable.
Practical next steps
If AiTM is on your radar, the fastest way to reduce exposure is a short, focused review of your identity controls.
Xantrion can help you run a practical AiTM readiness check that answers:
- Can users access Microsoft 365 and SSO apps from unmanaged devices?
- Are Conditional Access policies enforcing device compliance for high-risk apps and roles?
- Are session controls tuned to limit token replay risk?
- Do you have monitoring and response steps for token theft indicators, not just password resets?
If you want to pressure-test your current setup, reach out and we’ll map the highest-impact changes you can implement first, especially for finance and other regulated teams.
