Tag

#AiTM

5 articles covering AiTM across campaign analysis, detection engineering, and defender tradecraft.

Coverage

5 entries

Field Analysis

Dual UseCampaign AnalysisMay 20, 202610 min read

Breaking Down the Code of Conduct Campaign: PDF Lures, CAPTCHA Gates, and AiTM Token Theft

Microsoft detailed an April 2026 campaign that wrapped credential theft in HR disciplinary language, used a CAPTCHA as an anti-analysis gate, and stole tokens through an adversary-in-the-middle proxy.

By PhishPond Desk

Field Analysis

Blue TeamCampaign AnalysisMay 6, 20268 min read

Compliance Lures Are Becoming Multi-Stage AiTM Token Traps

Recent code-of-conduct phishing campaigns show how attackers blend HR pressure, PDF staging, CAPTCHA gates, and AiTM flows to steal session tokens.

By PhishPond Desk

Field Analysis

Blue TeamCampaign AnalysisMay 5, 202613 min read

Storm-1747 and the Tycoon 2FA Operator Class: A Defender Brief

Storm-1747 sells Tycoon 2FA - one of the most prolific reverse-proxy phishing kits in current circulation. This brief is what a defender team needs to know about the operator class.

By PhishPond Desk

Field Analysis

Blue TeamDetection & ValidationApr 29, 202614 min read

Detecting AitM Reverse Proxies: TLS Fingerprints, Cookie Artifacts, and Page-Side Tells

AitM kits proxy a real identity provider page, so brand and URL checks fail. The detectable artifacts live one layer down - in TLS handshake fingerprints, in the cookies the proxy must rewrite, and in the small page-side tells that betray the relay.

By PhishPond Desk

Field Analysis

Red TeamInfrastructure IntelligenceApr 12, 202610 min read

The 2024–2026 AitM Phishing-as-a-Service Market: Tycoon, EvilProxy, Mamba, Greatness

Reverse-proxy phishing kits commoditized session-token theft over the last two years. The kit market now resembles SaaS, and that has implications for how defenders track operators.

By PhishPond Desk

#AiTM

Coverage

Browse Other Tags