An Adversary-in-the-Middle (AitM) attack uses a criminal proxy between a user and a legitimate service to relay login traffic in real time. Instead of stealing only a password, the attacker intercepts the authentication session, captures tokens or session cookies, and can sometimes continue acting as the victim after the login finishes.
AitM matters because it bypasses many traditional defenses that focus on passwords and one-time codes. In cloud attacks, the proxy can mirror the victim’s browser, forward MFA prompts, and collect authenticated state from the session. Defenders look for unusual proxy patterns, impossible sign-in paths, suspicious token use, and signs that a login flow was relayed rather than completed directly. Strong conditional access, phishing-resistant MFA, and careful session monitoring help reduce the risk.