(713) 965-7200
(713) 965-7200
Cybersecurity

The “AiTM” Bypass: Why Standard MFA is No Longer a Legal Safety Net

Zachary Kitchen
  • 9 Apr 2026
The “AiTM” Bypass Why Standard MFA is No Longer a Legal Safety Net

Article summary: MFA bypass for law firms is now common because AiTM phishing can steal session tokens after a user completes MFA. Standard MFA still helps, but it’s no longer a complete safety net against session theft and prompt abuse. Phishing-resistant sign-in, session-aware controls, and active monitoring turn MFA back into meaningful protection for client data.

It’s the kind of moment that makes law firms feel safe.

An attorney signs in, gets the MFA prompt, approves it, and moves on. The system did what it was supposed to do. The login was “secure.”

Then the uncomfortable question shows up later, usually after an inbox rule appears, a client email goes missing, or a wire change request looks a little too polished: How did someone get in if MFA worked?

That’s the reality behind MFA bypass for law firms. 

Standard MFA still blocks a lot of attacks, but it’s no longer a complete safety net. Some phishing attacks don’t fight MFA at all. They let you complete it, then steal the authenticated session and reuse it.

What “AiTM” Means

AiTM stands for Adversary-in-the-Middle. It’s a phishing attack designed to sit between your user and the real login page, often as a reverse proxy that looks and behaves legitimately.

Here’s the key difference from “classic” phishing: the goal isn’t just to steal a password. The goal is to steal the session created after a successful login.

In a typical AiTM flow, the user clicks a link, lands on a look-alike sign-in page, and enters their credentials. The attacker’s infrastructure relays that login to the real service in real time. When the real service prompts for MFA, the user completes it. Everything feels normal, because the login is actually happening.

But behind the scenes, the attacker captures the session cookie/token that proves the user is already authenticated. With that token, the attacker can often reuse the session from their own device without needing the password again. 

That’s the heart of MFA bypass for law firms. The attacker isn’t beating MFA. They’re stepping around it by stealing what MFA helped create.

This is also why modern phishing often stacks tactics like QR lures, AI-written messages, and MFA bypass techniques. It’s designed to get a real login, not just a click. 

Why Standard MFA Is No Longer a Safety Net

Standard MFA (SMS codes, one-time codes, push prompts) is still worth having. It stops a huge number of credential-stuffing and password-only attacks. But it’s no longer a guaranteed safety net because AiTM attacks are built for environments where MFA is already turned on.

Microsoft’s research on the Tycoon2FA phishing platform describes this at scale. The kit relays the real sign-in flow, presents the real MFA prompt, and then captures the session cookie after MFA succeeds. The attacker can then use that authenticated session to access the account even if the password is later changed. 

Microsoft’s Entra team also notes that AiTM phishing is rising, reporting a 146% increase over the prior year based on their detections. 

And this isn’t just a Microsoft viewpoint. CISA has warned that tools like Evilginx can be used to bypass non-phishing-resistant MFA by capturing and replaying session tokens. 

What Actually Works Against AiTM

AiTM attacks succeed when they can steal the authenticated session. So the defenses have to be phishing-resistant and session-aware.

1.) Move to phishing-resistant sign-in

Passkeys are the most effective solution available against AiTM-style phishing because they’re designed to authenticate to the real domain, not a look-alike proxy. 

In practice, this means prioritizing passkeys/security keys for high-risk accounts first, then expanding.

2.) Add session controls

AiTM is a session theft problem, so you need controls that detect and restrict risky sessions. 

Microsoft’s guidance on evolving identity attacks emphasizes using Conditional Access and risk signals to respond to suspicious sign-ins and potential token theft attempts. It also points to tightening who can register authentication methods and limiting risky flows. 

For a small firm, that can look like: blocking sign-ins from impossible locations, requiring compliant devices for sensitive apps, and forcing reauthentication when risk is high.

3.) Make MFA prompts harder to abuse

Even outside AiTM, attackers still lean on approval pressure. Push-bombing is a common tactic: repeated prompts until someone clicks approve out of frustration or distraction. 

IT professionals suggest implementing practical protections like tightening MFA settings, reducing prompt fatigue, and training users to deny/report unexpected prompts. 

This matters because “standard MFA” fails both ways. It can be socially engineered, and it can be bypassed via session theft.

4.) Treat identity as an operational system

The fastest way AiTM becomes a real incident is when nobody notices the strange session for days. You need monitoring for unusual sign-ins, new inbox rules, new OAuth consents, and unexpected device registrations. You also need a clear response playbook to revoke sessions and reset credentials quickly.

This is where ongoing managed IT and security support matters for law firms. Access control, monitoring, training, and response readiness aren’t one-time projects.

Protect Client Data at the Identity Layer

Email and cloud access are where client confidentiality lives day to day. That’s why MFA bypass for law firms is such a serious issue: it turns a “successful” MFA login into a session theft problem that can look normal until damage is done.

If you want help tightening identity controls and reducing AiTM exposure without slowing attorneys down, contact Digital Crisis. We’ll review your current MFA setup, identify the biggest session risks, and build an upgrade plan your firm can actually follow.

Article FAQs

What is an AiTM phishing attack?

AiTM (adversary-in-the-middle) phishing is a type of attack where the attacker sits between the user and the real login page. The user signs in and completes MFA, but the attacker captures the authenticated session token/cookie. That session can then be reused to access the account.

Can hackers bypass MFA even if I approved the right prompt?

Yes. Some AiTM attacks don’t need you to approve the “wrong” prompt. They relay the real sign-in flow and capture the session after MFA succeeds, which can allow access without triggering MFA again.

What’s the difference between MFA and phishing-resistant MFA?

Standard MFA adds a second step (code or push approval) but can still be bypassed by session theft or prompt fatigue. Phishing-resistant MFA (like passkeys or security keys) is designed to authenticate to the real site and is much harder to proxy and replay in an AiTM attack.

Zachary Kitchen
Zachary Kitchen is the founder and CEO of Digital Crisis, where he helps law firms and businesses protect sensitive data, prevent downtime, and get more from their technology. With experience supporting over 7,000 organizations, he specializes in practical cybersecurity and IT strategies that improve day-to-day efficiency, not just security on paper.

Get Your Free Cybersecurity Guide

Protect your business with expert tips. Fill out the form to download our comprehensive guide and enhance your cybersecurity.

This field is for validation purposes and should be left unchanged.

By downloading you’re confirming that you agree with our Terms and Conditions.

What business owners are saying about us...

Read testimonials from satisfied clients who trust Digital Crisis for their IT needs. Discover how we’ve helped businesses like yours.

Quote icon

When Our Server Crashed, I Expected Downtime For Days, They Had Us Back in Hours

As a small law firm, we needed reliable IT support that wouldn’t break the budget—but still delivered at the highest level. Digital Crisis gave us exactly that.
 
They helped us modernize our systems, move to the cloud, and streamline how we work. Now our team can securely access everything we need from anywhere—and we’ve never been more efficient.
 
When our server went down unexpectedly, they had us fully operational again within three hours. No panic. No delays. Just fast, professional support when we needed it most.
 
With Digital Crisis, we feel like we have a world-class IT department—without the overhead.
Scott Davenport
Managing Attorney, Davenport Law Firm
Quote icon

We Knew Something Had to Change

As a managing partner of our firm, I needed a technology partner who understood urgency—and our old IT company just didn’t get it. Every time we had an issue, we were forced to submit a ticket just to speak with someone. No one ever answered the phone. Everything felt like a battle, and we were stuck in a long-term contract with no flexibility.

 

When I called Digital Crisis, they picked up immediately. No ticket. No runaround. Just answers. Within minutes, they had already started helping us.

 

Looking back, I wish we had made the switch sooner. I didn’t need to be a tech expert—I just needed to make one good decision for my team. Now our systems are secure, we actually get support when we need it, and I don’t have to worry about IT holding us back.

 

If you’re tired of being ignored by your IT guy, do what I did. Take back control. Call Digital Crisis.

Rudy Culp
Managing Partner, Horrigan & Goehrs, LLP
Quote icon

I Couldn’t Afford IT Headaches When Starting My Firm

As the Managing Partner of a newly established law firm, I can confidently say that the seamlessness of our start-up is due in large part to the exceptional IT support provided by Zach and the team at Digital Crisis. From day one, they have been more than just a service provider—they've been true partners in our success.

Zach and his team have an incredible ability to anticipate our needs before we even voice them. Their proactive approach, deep expertise, and commitment to keeping our systems secure and efficient have given us the confidence to focus fully on building our practice.

Having reliable IT support is critical in the legal field, where security and uptime are non-negotiable. Thanks to Digital Crisis, we’ve had both—plus the peace of mind that comes from knowing we’re in capable hands. We couldn’t ask for a better tech partner.

Stacy Kelly
Mangaing Partner, Texas Probate Attorney, PLLC
Quote icon

They’re a Valuable Member of Our Team

Zach is great at explaining to us about our IT in plain-speak, rather than “geek-speak.” I genuinely feel like hiring Digital Crisis was the best decision I’ve made for my firm. If you want an IT expert who charges reasonable rates and is not just an IT guy, but a valuable member of your team, call Zach.
Keith Morris
Founder, Surplus Attorneys
Quote icon

My Firm Runs Like a Well-Oiled Machine

I’ve worked with Zach for over 15 years. Digital Crisis takes their time to understand my practice and doesn’t try to shove a cookie-cutter system down our throat. When Digital Crisis first came in, they took the time to understand our firm and helped streamline and modernize our processes.
Kelly Forester
Senior Partner, Matthews Forester Law Firm
Quote icon

My Firm’s Efficiency DOUBLED Overnight

I thought my firm was doing just fine with my previous IT setup- boy, was I wrong! Digital Crisis came in Updated Equipment and Technology. I wish I had used them ten years earlier when I first met Zach. You will be sold immediately by their knowledge, patience, and willingness to help.
Craig Ribbeck
Senior Partner, Ribbeck Law Firm
Quote icon

Digital Crisis Saves Us Thousands Every Year

We used to enter data quarterly that would easily take an average of two weeks each quarter to enter. Then, when Digital Crisis came in, they fully automated our process, taking minutes instead of weeks to process the same data, not only faster but more accurately, removing room for human error. The new system gets things done faster and saves us thousands every year in labor alone!
Sandy Hickey
Executive Assistant, PAS Online
Quote icon

We Make Money FASTER Because of Digital Crisis

In 2010, my business had an old DOS-based server from 1995 that ran our proprietary software, which crashed. If it weren’t for Zach, we’d have to start completely over! Not only was Digital Crisis able to restore all our data, but they were also able to migrate us to a modern system which allowed us to get paid faster and work remotely.
Sandra Van der Vorm
Owner, Vansteen Marine Supply
Quote icon

They Rescued My Practice

On a Friday, my practice had to be moved immediately without any notice. Digital Crisis not only managed to come out and get our IT up and running, but they had our phones and internet up and running by Monday morning, and we didn’t lose a single day of business!  I can’t recommend Zach and his team enough.
Marietta Cline, MD
Owner, Cline Pediatrics
Quote icon

I Never Lost a Day of Work During the Pandemic

Zach truly understands my firm’s needs and always provides valuable tips and tools to make my firm run more efficiently. For example, when the COVID pandemic hit in 2020, I didn’t lose a single day of work since Digital Crisis had me set up on their cloud system, and I could remote in from anywhere.
Pamela Stewart
Owner, Law Office of Pamela Stewart
read more from our clients

Protect Your Network Against Cyber Threats

Contact Digital Crisis for a network security consultation and ensure your business is safeguarded against cyber threats.

This field is for validation purposes and should be left unchanged.

Related Posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

AI Data Leak Prevention in Law Firms
AI
AI Data Leak Prevention in Law Firms
 Read More
Free scam phishing fraud vector
Cybersecurity
Is Your Invoice a Deepfake? Securing Your Accounts Payable Process Against Voice and Email Cloning
 Read More
Free hacker anonymous cybersecurity vector
Cybersecurity
Adversary-in-the-Middle Attacks: How Phishing Sites Steal Your Active Login
 Read More