AI-Powered Phishing Kits Now Bypassing MFA in Real Time — What SMBs Must Know
Security researchers documented a new generation of adversary-in-the-middle (AiTM) phishing kits using AI to generate convincing lure pages in real time and bypass SMS and app-based MFA. Over 40,000 businesses targeted in Q1 2026.
What Are AiTM Phishing Kits
Adversary-in-the-Middle (AiTM) phishing kits are a sophisticated evolution of traditional phishing attacks. Unlike basic phishing pages that simply steal a username and password, AiTM kits act as a real-time proxy between the victim and the legitimate website. When a victim enters their credentials on the fake page, the kit immediately forwards them to the real site, receives the MFA challenge, passes it back to the victim, and then captures the resulting session token. This allows attackers to bypass SMS-based and app-based TOTP MFA entirely — because they are not stealing the MFA code, they are stealing the authenticated session that results after MFA is completed. The victim successfully logs in and sees nothing unusual, while the attacker now has a valid session token they can use to access the account.
The AI Enhancement
The new generation of AiTM kits documented by Proofpoint and Microsoft in Q1 2026 adds AI capabilities that make them significantly more dangerous. First, AI-generated lure pages: the kits use large language models to generate convincing phishing email content and landing pages tailored to the specific target organization, including correct logos, color schemes, and even personalized content pulled from the target's website and LinkedIn profile. Second, real-time adaptation: the AI component monitors the victim's interaction with the phishing page and adapts the content in real time to address hesitation or suspicion. Third, automated targeting: the kits use AI to identify high-value targets within an organization — typically finance staff, executives, and IT administrators — and prioritize attacks against them.
Scale of the Problem
Proofpoint's Q1 2026 threat report documented over 40,000 businesses targeted by AiTM phishing campaigns in the first quarter of 2026, with a success rate (defined as at least one credential compromise per targeted organization) of approximately 12%. This means roughly 4,800 businesses had at least one account compromised through AiTM phishing in Q1 alone. The most commonly targeted services were Microsoft 365, Google Workspace, and Salesforce. Finance teams were the most frequently targeted employees, consistent with the attackers' goal of gaining access to accounts that can initiate wire transfers or access financial data.
The Only Reliable Defense: Phishing-Resistant MFA
The only MFA method that is resistant to AiTM attacks is FIDO2-based authentication — hardware security keys (like YubiKey) or passkeys stored on a device. FIDO2 authentication is cryptographically bound to the specific website domain, meaning it will not work on a phishing page even if the page looks identical to the real site. Microsoft 365 and Google Workspace both support FIDO2 authentication. For organizations that cannot immediately deploy FIDO2 for all users, prioritize it for administrator accounts, finance staff, and anyone with access to sensitive data. For all other accounts, implement Conditional Access policies that flag and block logins from new devices or unusual locations, which can catch AiTM session token theft before significant damage is done.
- SMS and app-based TOTP MFA can be bypassed by AiTM phishing — upgrade to FIDO2/passkeys for critical accounts
- Train employees to always verify the URL before entering credentials — AiTM pages look identical to real login pages
- Enable Conditional Access policies that flag impossible travel and new device logins for review
- Microsoft 365 and Google Workspace both offer phishing-resistant authentication — enable it for all admin accounts now
- Consider deploying an email security gateway with AI-powered phishing detection to catch AiTM lure emails before they reach inboxes
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.