Adversary-in-the-Middle (AitM) phishing is a rapidly growing threat that can bypass MFA and capture session tokens in real time. Even careful users and organisations with strong security policies are at risk. To help protect users, Eye Security has developed Microsoft AitM Phishing Block, a free browser extension for Chrome and Edge.
Curious about the technical details? Read our technical blog on Microsoft AitM phishing block.
Over the past year, Eye Security’s research team has observed AitM phishing accelerating across Europe. That is why we decided to take action and build a simple, accessible tool to help prevent these attacks at the moment they matter most: the login screen itself.
The browser extension Microsoft AitM Phishing Block helps users protect Microsoft logins and stop malicious Microsoft-style login pages before any credentials are entered.
▶️ Watch the demo below to see AitM Phishing Block in action:
Why AitM phishing attacks succeed against Microsoft 365 accounts
Attacker-in-the-Middle (AitM) phishing attacks succeed because they exploit trust. Users see what appears to be a legitimate Microsoft login page. This login page loads dynamic content from Microsoft and behaves exactly as expected. There are no spelling mistakes, no incorrect logos, and no broken images.
Behind the scenes, however, cyber criminals intercept the authentication flow, capturing passwords and MFA tokens. With those tokens, attackers can enter accounts as if they were the legitimate user. Even organisations enforcing MFA across their entire workforce can be vulnerable.
Anyone can fall for this. The interaction feels normal, and users are accustomed to entering their password and MFA code without hesitation. What they cannot see is that a malicious server is acting as an invisible middle layer. Everything typed on the page is captured immediately, including the MFA token needed to complete authentication.
This makes AitM one of the most effective ways to compromise Microsoft 365 environments, even in organisations that enforce MFA across their entire workforce.
Microsoft AitM Phishing Block: protecting your organisation's Microsoft 365 logins
During our threat research, we found a consistent pattern. Even though AitM pages proxy real Microsoft content, certain visual elements remain predictable, especially the familiar blue Microsoft sign-in buttons. These elements are difficult for attackers to disguise without breaking the user experience.
Microsoft AitM Phishing Block uses this insight to protect users. The free AitM phishing prevention tool scans each webpage for suspicious Microsoft-style login buttons and alerts the user when a page behaves like a potential AitM trap. The warning appears before the user enters any information, stopping the attack at the earliest stage.
The extension works quietly in the background and does not interfere with legitimate Microsoft services. Normal browsing continues as usual. It only activates when it detects patterns commonly seen in AitM phishing campaigns.
Getting started with Microsoft AitM Phishing Block
- Go to the Chrome Web Store and click Add to Chrome.
- Confirm the installation by selecting Add extension.
- You will see the extension icon appear in the top right corner of your browser. If it is not visible, click the puzzle icon and pin it for easy access.
By clicking the extension icon, you can enable or disable AitM Phishing Block at any time.
Combining prevention and detection for maximum identity security
AitM Phishing Block is a practical example of how small preventive tools can disrupt major attack techniques. Stopping unsafe login pages directly in the browser reduces the likelihood of account compromise and gives users an additional layer of confidence during authentication.
At the same time, we know attackers continue to evolve. That is why we combine prevention with continuous monitoring, detection and 24/7 response. Even if one layer fails, another one is ready to contain the threat before damage occurs.
AitM phishing is only one of many identity-based techniques we track. New variants will follow, but every blocked login attempt helps strengthen the resilience of organisations across Europe.
Free for everyone to use
We are releasing Microsoft AitM Phishing Block free of charge as part of our mission to protect Microsoft 365 accounts from AitM phishing and keep Europe safe. The threat does not stop at the boundaries of any single organisation, and neither should protection.
Install the extension from the Chrome Web Store here.
Curious about how we help organisations strengthen identity security as part of a complete cyber defence strategy? Get in touch using the button below.
Frequently Asked Questions (FAQ)
What is AitM phishing?
Adversary-in-the-Middle (AitM) or an Attacker-in-the-Middle phishing is a sophisticated attack where a malicious server sits between the user and a legitimate login page (like Microsoft 365). It captures credentials and Multi-Factor Authentication (MFA) tokens in real time, allowing attackers to log in as the user.
How does AitM phishing work?
The attacker creates a login page that looks identical to the official service. When you enter your credentials or MFA code, the malicious server intercepts them before they reach the real service. Even MFA codes, which normally protect your account, can be stolen and reused instantly.
Why is AitM phishing so successful?
Several factors make AitM phishing highly effective:
- Visual authenticity. Pages appear identical to the legitimate login screen.
- Dynamic content. The page can load real elements from the official service, so nothing looks “off” to the user.
- User trust. Users expect to enter credentials and MFA codes routinely, making it easy to exploit habits.
- Bypasses MFA. Traditional MFA protections alone cannot stop this attack, because tokens are captured in real time.
Who is at risk of AitM phishing?
Anyone using MFA-protected accounts can be targeted.
How does Microsoft AitM Phishing Block help?
The extension scans pages for suspicious Microsoft-style login patterns and alerts the user before credentials are entered, stopping the attack at the login stage. It works alongside existing security measures, like MFA, rather than replacing them.
Which browsers are supported?
Microsoft AitM Phishing Block currently supports Chrome and Edge.
Can Microsoft AitM Phishing Block interfere with normal Microsoft logins?
No. The extension only activates when it detects suspicious Microsoft-style login pages and does not affect legitimate login flows.
Can Microsoft AitM Phishing Block be deployed organisation-wide?
Yes. IT teams or MSPs can deploy the extension centrally to protect all users.
Is Microsoft AitM Phishing Block really free?
Yes. The extension is completely free to use as part of Eye Security’s mission to enhance identity security across Europe.
Will Microsoft AitM Phishing Block protect against all phishing attacks?
The extension is specifically designed for AitM phishing targeting Microsoft 365 logins. It should be used alongside broader identity security measures for complete protection.
