AiTM phishing attacker on M365
Service · Anti-phishing AiTM · M365 + Google · FREE

Modern phishing bypasses MFA. The Interceptor doesn't.

AiTM attacks don't just steal credentials: they capture the session token after authentication, making MFA useless. Fortgale blocks the attack before the user interacts with the malicious proxy.

Activate the Interceptor — Free Anatomy of an AiTM →
91 %Attacks via phishing
5+ yearsIn production
0Compromised credentials
Fortgale · Interceptor
Active alert
⚠️
AiTM attack detected
This page uses a proxy to intercept your credentials and MFA token. Do not enter any data.
hxxps://m1cr0s0ft-login[.]verify-token[.]net/aitm/...
Compliance · email security
NIS2 ready
DORA
ISO 27001
GDPR
Compatibility
Microsoft 365
Google Workspace
Entra ID
FIDO2 / TOTP
Why it works against AiTM

It acts on the page, not on the email.

Classic anti-phishing solutions intervene before delivery. Fortgale operates where traditional filters fail: at the moment when the user is about to surrender credentials.

01 ·

Behavioural protection

Operates on the page behaviour at destination, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.

02 ·

MFA-proof by design

Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.

03 ·

Zero infrastructure changes

No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours. Compatible with FIDO2, TOTP, hardware keys and all MFA providers.

Proof · real sectors

Four sectors where Fortgale is already operational.

Banking
AiTM campaigns
on financial M365 portals
Shipping
BEC + AiTM
against logistics operators
Manufacturing
Spear-phishing
across hybrid M365 supply chains
Critical infra
NIS2 operators
with auditable reporting
Anatomy of an AiTM attack

Five steps · the Interceptor blocks it before the first.

The AiTM proxy makes MFA useless. The only defence is to act on the destination page, before the user types.

01 · Email

Phishing email delivered

The phishing email bypasses SEG, sandbox and DNS filters. It contains a link to a seemingly legitimate AiTM proxy.

02 · Proxy

AiTM proxy activated

The user clicks. The transparent proxy (Evilginx, Modlishka, Muraena) relays traffic to the real M365 portal.

03 · Credentials

Credentials + MFA captured

The user enters credentials and the second factor. The proxy captures everything: password and MFA code.

04 · Token

Session token stolen

Microsoft issues the session token. The proxy intercepts and reuses it autonomously, bypassing MFA.

05 · Block

Fortgale Interceptor

The Interceptor detects the proxy and blocks the user before step 1. No data is ever transmitted.

What the service includes

Six pillars of AiTM protection.

01

Behavioural protection

Operates on the destination page behaviour, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.

02

MFA-proof by design

Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.

03

Zero infrastructure changes

No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours, with no impact on user productivity.

04

M365 + Google Workspace coverage

Protection for both Microsoft 365 (Exchange Online, SharePoint, Teams) and Google Workspace (Gmail, Drive, Meet).

05

Real-time intelligence

Powered by the Fortgale Intelligence Feed: new AiTM infrastructure, emerging phishing kits, lookalike domains detected and blocked in real time.

06

Visibility & reporting

Centralised dashboard of intercepted attacks, users involved, target sectors. CISO reporting with MTTD/MTTR metrics and monthly trends.

Integrated defence

The Interceptor prevents. The other services complete the coverage.

Post-compromise

ITDR · Identity Protection

360° identity security from on-prem AD to Entra ID and Cloud. Detection & response on compromised credentials.

Discover ITDR →
Detection & Response

Managed Detection & Response

EDR/XDR governed by the European SOC. Triage in <15 min, containment ~11 min.

Discover MDR →
Intelligence

Intelligence Feed

34k+ IoCs per week · AiTM phishing domains, Evilginx/Modlishka kits, C2 infrastructure distributed via STIX/TAXII.

Discover the Feed →
FAQ

Everything to know before activating the Interceptor.

What is an AiTM phishing attack?

Adversary-in-The-Middle: a transparent proxy between user and legitimate site (M365). Captures credentials and MFA tokens, bypassing authentication. Dominant technique in advanced European campaigns. Frameworks: Evilginx, Modlishka, Muraena.

How does the Fortgale Interceptor work against AiTM?

Detects in real time the characteristic signals of AiTM proxy pages and displays a warning before credentials are entered. Analyses page and session behaviour, not the email channel.

Why is MFA not enough against AiTM?

MFA protects static credentials (username/password) but not the session token issued after authentication. The AiTM proxy receives the valid token — even after the second factor — and reuses it autonomously. The Interceptor acts earlier.

Does it also work with Google Workspace?

Yes. AiTM campaigns against Google are growing in manufacturing, logistics and professional services. Identical logic: a warning before credentials are entered.

How long does activation take?

Fast, non-invasive onboarding. No changes to infrastructure, mail servers, DNS, M365 tenant. Activation in a few hours. Team response within 24 working hours.

Research · AITM phishing kits

We track phishing kits that bypass MFA.

We analyse the AITM phishing kits in circulation — reverse-proxy infrastructure, token hijack, reusable kits. Operation Storming Tide and Phishing Kits Bypass MFA are just two examples of the research that fuels our M365 detections.

Defence15 Apr 2026

Phishing Kits Bypass MFA and Hijack companies's accounts in minutes

Intelligence &middot; Phishing Kit &middot; Q1 2026 April 24, 2026Fortgale CTI14 min readRPT-26-0424 Observation of the quarter The 2026 phishing ecosystem has outpaced tradition…

Read article →
Featured8 Apr 2026

Investment-Targeted Phishing: How Phishing Kit Fuels Espionage in Funding Rounds

In the high-stakes world of venture capital and corporate funding, where millions hang in the balance and sensitive financial data flows freely, a new breed of cyber threat is em…

Read article →
Defence13 Mar 2026

Operation Storming Tide: A massive multi-stage intrusion campaign

In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabiliti…

Read article →
Featured4 Sep 2024

Behind the Wheel: Unveiling the Supercar Phishing Kit Targeting Microsoft 365

UPDATES: 27.11.2024: As mentioned by TrustWave, "Supercar Phishing Kit" has an high level of overlapping with the most recent update of "Rockstar 2FA Phishing-as-a-Service" 26.09…

Read article →
Featured18 Dec 2023

Espionage activities targeting European businesses

In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities wi…

Read article →
Featured6 Dec 2023

Nebula Broker: offensive operations made in Italy

Fortgale has been tracking an Italian Threat Actor, internally dubbed as Nebula Broker, since March 2022. The actor uses self-made malware (BrokerLoader) to compromise Italian sy…

Read article →
All research on the blog →
Start now — it's free

The next AiTM attack is already being prepared.

The Fortgale M365 Phishing Interceptor blocks AiTM phishing before credentials are entered — and before the session token is stolen. Free activation, no infrastructure changes, operational in a few hours.

Response time: < 1 business day.