Preventing AiTM Phishing Attacks

AiTM attacks can be prevented and detected using a layered security approach. Below is a high-level overview of the key methods.

1. Use Phish-Resistant Authentication

Phish-resistant authentication methods cannot be relayed through AiTM phishing infrastructure.

Examples include:

FIDO2 security keys \ Passkeys
Windows Hello for Business
Certificate-based authentication (CBA)

These methods prevent users with interacting with AiTM phishing platforms

Learn more

2. Require Trusted Devices

Ensure users can only authenticate from devices that meet your organization’s requirements.
This prevents attacker-controlled AiTM servers from being able to satisfy authentication policies.

Common approaches:

Intune-compliant devices
Hybrid Azure AD joined devices
Entra ID device requirements

Learn more

3. Restrict Authentication Locations

Limit sign-ins to trusted or expected network environments.
This helps block authentication attempts coming from AiTM infrastructure.

Options include:

Named locations in Conditional Access
Global Secure Access policies

Learn more

4. Prevent Session Token Replay

Bind session tokens to a specific device so they cannot be used by attackers even if stolen.

Key technologies:

Entra Token Protection (Token Binding)
Shortened session token lifetimes

Learn more

5. Implement Additional Detection & Monitoring

Even strong prevention layers should be paired with visibility and alerting.

Useful tools include:

Entra ID Protection (risk detections)
Prevent risky sign-ins
Third-party SIEM or ITDR tools
Threat intelligence feeds to block known AiTM infrastructure
Endpoint security tools
AiTM detectors