There is a category of attack that security teams find especially disorienting to investigate. The logs show a successful login. MFA was satisfied. The session was issued legitimately. No passwords were brute-forced. No exploits were used. And yet, the wrong person ended up with access.
The attack is called real-time phishing, or adversary-in-the-middle (AiTM) phishing, and when it is combined with a voice call from someone who sounds helpful and authoritative, it is one of the most effective techniques in use today. Not because it is technically sophisticated. Because it is designed to look exactly like normal user behavior.
The scale of the problem is no longer theoretical. In March 2026, Europol coordinated a global takedown of Tycoon 2FA, a phishing-as-a-service platform that had sent tens of millions of phishing messages each month, reaching over 500,000 organizations worldwide. By mid-2025, it accounted for 62% of all phishing attempts blocked by Microsoft. The platform was specifically engineered to bypass MFA in real time.
Source: Microsoft Security Blog, March 2026; Europol / Shadowserver Foundation
What Real-Time Phishing Actually Does
To understand why this matters, it helps to understand what traditional phishing was designed to accomplish and why MFA made it much harder.
The old model was straightforward: trick a user into entering their credentials on a fake site, harvest the username and password, and log in later. MFA largely closed that window. By the time an attacker tried to use stolen credentials, the one-time code had expired. The login failed.
Real-time phishing changes the sequence entirely. Instead of storing credentials for later use, the attacker sits between the user and the legitimate service, relaying everything live. Tools like Tycoon 2FA made this accessible to attackers with minimal technical skill, offering pre-built templates, admin panels, and reverse-proxy infrastructure on a subscription basis. By some estimates, as little as $120 bought a subscription.
Here is how it unfolds. The victim receives a call or message directing them to a phishing site. They enter their credentials. Those credentials are immediately passed to the real service. The service returns an MFA prompt, which the attacker proxies back to the victim. The victim approves it, believing they are logging in normally. The attacker receives a valid, authenticated session.
MFA was completed successfully. SSO behaved exactly as designed. The attacker is now authenticated as the victim.
Nothing in that sequence is a technical failure. The systems all worked. The gap was in the workflow, not the technology.
Why Your Security Stack Does Not See It
Most detection tools are built around anomalies. Unexpected IP addresses. Failed login attempts. Access at unusual hours. Policy violations. These signals assume that something in the authentication chain went wrong.
Real-time phishing produces none of those signals. The identity provider logs a valid authentication event from the correct user. The MFA challenge is satisfied. Session cookies are issued. Every downstream system trusts the session because there is nothing to distrust.
The Canadian Centre for Cyber Security, which analyzed over 100 AiTM phishing campaigns targeting Microsoft Entra ID accounts between 2023 and early 2025, found that successful session compromise occurred in roughly 12 to 17 percent of incidents where standard MFA was the only control. When registered device conditional access policies were in place, that rate dropped sharply. The numbers underscore what investigators consistently find: the attack leaves almost no forensic signal at the authentication layer.
Source: Canadian Centre for Cyber Security, ITSM.30.031, December 2024
Investigators often discover these incidents only after the attacker has already acted inside an application: exporting data, modifying settings, enrolling a new device, or establishing persistence through API tokens or forwarding rules. By then, the initial compromise is buried under a trail of legitimate-looking activity.
When the forensics team goes looking for the breach, they find authentication logs that show everything working correctly. Because it did work correctly. The compromise happened at the human layer, between the user and the moment of trust.
The Voice Call That Turns a Tense Situation Into a Completed Transaction
A phishing site alone creates friction. Users hesitate. They notice the URL. They close the tab. They call IT.
A voice call removes that friction almost entirely.
The attacker explains why the login is needed right now. They walk the victim through each step, offering reassurance when MFA prompts appear. They handle objections in real time. They create a sense of urgency and legitimacy that the victim has no particular reason to question, especially if the caller sounds confident and professional.
AI voice synthesis makes this scalable in ways that were not possible two years ago. Attackers no longer need trained social engineers or multilingual call centers. A convincing voice persona can be constructed quickly, adapted to different scenarios, and deployed across many targets simultaneously. According to the FBI and CISA’s updated Scattered Spider advisory from July 2025, the group has refined its use of exactly this combination: vishing paired with technical relay attacks, often incorporating publicly available information about target organizations to make impersonation calls more convincing.
Source: FBI / CISA Joint Advisory AA23-320A, updated July 2025
$710M lost to AiTM phishing and credential compromise in a single wave targeting Japanese brokerages in 2025, affecting customers with MFA enabled. Japan Financial Services Agency, 2025
The result is a coordinated attack where technical relay and human persuasion reinforce each other. Each piece makes the other more effective.
How Help Desks Get Pulled Into the Attack Chain
Support teams often end up in the middle of these attacks without realizing it.
Sometimes the victim calls IT because something feels off during a login. They are confused. They describe what happened. An agent, trying to be helpful, walks them through a reset or override without understanding that the confusion was manufactured by the attacker to prompt exactly that call.
Other times, the attacker calls support directly. According to the FBI and CISA, Scattered Spider actors—the group responsible for breaches at MGM Resorts, Marks & Spencer, and dozens of other enterprises—routinely pose as victim employees or IT staff to convince help desk personnel to reset passwords and transfer MFA tokens. They have already gathered enough information from the phishing session to sound credible. They reference real login attempts. They describe issues that seem plausible. They request account changes that feel routine.
Once a support agent intervenes and overrides a control, SSO and MFA become irrelevant. The agent has done something no relay attack can do: changed the underlying account state. At that point, the attacker does not need to proxy anything. They just log in.
What Happens After the Session Is Compromised
Modern attackers rarely treat initial access as the end goal. Once they have a valid session, they move quickly to make it durable.
They enroll a new MFA device. They register trusted endpoints. They set up email forwarding rules or create API tokens that persist beyond session expiration. They modify recovery information so that any future reset routes back to them.
Each of these actions uses legitimate platform features. Nothing looks like a breach. The attacker is just a user, managing their account.
Tycoon 2FA specifically enabled persistence of exactly this kind: according to Microsoft’s analysis, compromised accounts remained accessible to attackers even after password resets, because active sessions and tokens were not revoked. The attack did not end when the phishing call ended. It continued for as long as those sessions stayed alive.
Source: Microsoft Security Blog, “Inside Tycoon2FA,” March 2026
Why Training Does Not Close This Gap
The instinctive response to attacks that exploit human behavior is more awareness training. Teach users to scrutinize login prompts. Remind them not to approve MFA requests they did not initiate. Run simulated phishing campaigns.
None of this is wrong, exactly. But it does not address the structural problem.
A user being guided through a login by a helpful voice call, under time pressure, on a phishing site with a plausible URL, has very limited ability to distinguish that experience from a legitimate one. The MFA prompt looks identical to the real one. The login flow follows the same sequence. The reassurance from the voice on the other end is indistinguishable from genuine IT support.
Expecting users to make the right judgment call in that moment, reliably and at scale, is not a viable security control. Tycoon 2FA’s operators understood this. Their kits were specifically engineered to minimize the visual differences between a phishing page and the real thing, incorporating custom logos, backgrounds matched to the victim’s domain, and CAPTCHAs designed to look native. They built the kit to defeat human judgment, not to slip past it.
The Structural Problem: Authentication Without Consent
Authentication and consent are not the same thing. Authentication confirms who a user is. Consent confirms what they intend to do.
Real-time phishing exploits the space between these two concepts. A user authenticates believing they are accessing a legitimate service. The session that results benefits an attacker instead. The identity system never asks whether the authenticated user understands or agrees to who receives the result of that authentication.
SSO is excellent at confirming identity. It was not designed to confirm intent. The Microsoft Digital Defense Report 2024 flagged this directly: while standard MFA remains effective against conventional credential attacks, threat actors have shifted to AiTM techniques specifically because they exploit post-authentication trust rather than defeating authentication itself.
Source: Microsoft Digital Defense Report 2024
What Defense Actually Looks Like
Closing this gap requires controls that operate at the moment of high-risk action, not just at the moment of login.
High-risk actions should require verification that cannot be relayed in real time. An out-of-band challenge sent to a pre-enrolled device, requiring active confirmation from the legitimate user, cannot be proxied through a phishing site. The attacker cannot complete it without physical access to that device.
The Canadian Centre for Cyber Security’s analysis found this directly in their data: phishing-resistant MFA and registered device conditional access policies broke the AiTM attack chain regardless of whether the kit was a traditional or proxy-based variant. The control difference was not awareness; it was architecture.
Support workflows should verify the human making a request, not the session state of a caller. A valid session is not sufficient proof that the person requesting account changes is the account holder. Account recovery and MFA enrollment should be treated as privileged operations. These are the actions that establish long-term access. Treating them as routine support tickets is what gives attackers their persistence window.
The goal is not to detect the attack after it succeeds. It is to make relay attacks structurally unable to produce the outcome the attacker is looking for.
Frequently Asked Questions
What is adversary-in-the-middle (AiTM) phishing?
AiTM phishing places a malicious proxy between a victim and a legitimate service. When the victim enters credentials and completes MFA, the attacker intercepts both in real time and inherits a valid authenticated session. The authentication systems involved behave normally; the compromise occurs at the human and workflow layer.
Does phishing-resistant MFA stop AiTM attacks?
Yes. FIDO2 and passkey-based authentication are domain-bound, meaning they refuse to authenticate on a proxy site that spoofs a legitimate domain. The Canadian Centre for Cyber Security found that phishing-resistant MFA consistently blocked AiTM attacks across all campaign variants analyzed between 2023 and 2025.
How does vishing make real-time phishing more effective?
A voice call creates urgency, context, and trust that text-based phishing cannot replicate. The attacker guides the victim through the authentication flow in real time, handling objections and reducing hesitation. This is particularly effective against help desk workflows where agents are trained to be helpful and resolve issues quickly.
What should organizations audit to assess their AiTM exposure?
Start with the actions that produce the most persistent access: password resets, MFA device enrollment, role changes, and API token creation. For each, ask whether a user can be guided through the process by someone on a voice call, and whether any verification step in that workflow can be relayed or bypassed by someone controlling the audio of that call.
What Security Leaders Should Review Now
The practical question is: where in your environment can an authenticated session trigger a high-impact, hard-to-reverse outcome? Password resets. Device enrollment. Role changes. Data exports. Administrative actions.
For each of those, ask: can a user be guided through this process by someone on a call? If yes, what additional verification exists that cannot be relayed or faked by someone controlling the audio of that call?
That is the gap real-time phishing exploits. It is also where phishing-resistant identity verification closes the loop.
The Broader Picture
Boards and executives find these incidents difficult to process. The question they ask most often is some version of: we deployed MFA, we have SSO, why did that not help?
The answer is that those controls worked. They were stepped around, not broken. That distinction is uncomfortable, because it means that further investment in the same category of tools will not address the underlying problem.
The underlying problem is that workflows built around authentication have not been updated to account for attacks that use authentication as a vector rather than a target. Real-time phishing does not defeat MFA. It uses MFA to authenticate an attacker.
In 2026, attackers do not need to break identity systems. Europol and Microsoft just dismantled the biggest platform that proved that point. But the techniques it pioneered remain available. The kits will evolve. New services will emerge. The economics of AiTM phishing are too favorable for the problem to go away because one platform was taken down.
Until security programs treat human workflow as a first-class attack surface, the gap will remain open.
See How Trusona Protects Against Real-Time Phishing
Trusona ATO Protect verifies identity at the moment of high-risk actions, out-of-band, in a way that cannot be proxied or relayed in real time.
Sources
- Microsoft Security Blog, “Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale,” March 2026
- Europol / Shadowserver Foundation, Tycoon 2FA phishing-as-a-service disruption, March 2026
- Canadian Centre for Cyber Security, “Defending against adversary-in-the-middle threats with phishing-resistant MFA,” ITSM.30.031, December 2024
- FBI / CISA Joint Cybersecurity Advisory AA23-320A, “Scattered Spider,” updated July 2025
- Microsoft Digital Defense Report 2024
- Japan Financial Services Agency, unauthorized trading incident reports, 2025
- Proofpoint, AiTM phishing campaign analysis, April 2025
- Barracuda Networks, Tycoon 2FA threat spotlight, January 2025
Audited. Verified. SOC2 Certified.