What Is AitM Phishing and Why Does It Break MFA?
Adversary-in-the-middle (AitM) phishing is a technique where attackers position a reverse proxy between the victim and a legitimate login page. The victim sees a convincing replica of the real site. They enter their credentials. They complete their MFA challenge. And the attacker, sitting silently in the middle, captures the authenticated session cookie in real time. This is not a brute-force attack on MFA. It does not crack passwords. It steals the proof that authentication already happened. By the time the victim finishes logging in, the attacker holds a valid session token that bypasses any further verification. MFA, as most organisations have deployed it, was never designed to defend against this. According to research published by Push Security in early 2025, a specific campaign targeting TikTok for Business accounts is using exactly this method, combined with Cloudflare Turnstile evasion to avoid automated detection. The result is a phishing kit that is harder to discover, harder to take down, and harder to defend against with conventional controls.
Why Are TikTok Business Accounts a Target Worth Attacking?
TikTok for Business accounts control advertising spend, audience targeting, and direct access to millions of followers. For threat actors, a compromised business account is not a trophy. It is a distribution channel. Once an attacker controls a verified business account, they can push malvertising to precisely targeted demographics using the account's existing ad budget. They can post content carrying malware links to an established, trusted audience. They can harvest personal data from the account's analytics dashboard. And because the account appears legitimate, victims are far less likely to question what they see. TikTok has a documented history of being abused for malware distribution. In 2023, the 'Invisible Challenge' trend was exploited to spread the WASP stealer. Earlier campaigns used TikTok's algorithm to amplify fake investment schemes. Attackers understand that social media reach, combined with account credibility, multiplies the damage they can cause. Business accounts with established follower bases and active ad campaigns are the highest-value targets in that ecosystem.
How the Cloudflare Turnstile Evasion Changes the Threat
Cloudflare Turnstile is a CAPTCHA replacement that uses behavioural signals to distinguish humans from bots. It is widely used by security researchers and takedown services to identify and report malicious phishing pages. When a page sits behind Turnstile, automated scanners struggle to reach the actual phishing content, which slows detection and extends the operational window for the attacker. In this campaign, the phishing infrastructure uses Turnstile as a shield rather than a gate. Automated threat intelligence platforms that crawl suspicious URLs hit a Turnstile challenge and cannot proceed. Human victims, by contrast, pass through without friction. The net effect is that the phishing page remains active longer before it appears in blocklists, URL filtering databases, or browser warnings. This is a meaningful operational improvement for attackers. The average time-to-block for a phishing page that appears in multiple threat feeds is measured in hours. A page that evades automated scanning can remain live for days. That window is more than enough to compromise dozens of accounts.
What the Attack Chain Looks Like in Practice
The attack follows a pattern that security teams should recognise, even if the specific lure changes. Here is what Push Security's research describes: First, a target receives a message — typically via email or direct message — impersonating TikTok support or a business partner. The message creates urgency: an account policy violation, a pending suspension, a required verification step. Second, the target clicks a link that passes through Turnstile to a convincing replica of the TikTok for Business login portal. Credentials entered here are forwarded in real time to the actual TikTok login page via the attacker's proxy server. Third, when TikTok sends an MFA code, the victim enters it on the fake page. The attacker's proxy relays it immediately to TikTok, completing authentication. TikTok issues a session cookie. The attacker captures it. Fourth, the attacker uses that session cookie to access the account from their own device. The victim's session may be terminated, or it may remain active — in some variants, victims notice nothing unusual until they attempt an action the attacker has already taken. The entire sequence can complete in under two minutes.
- Lure: Impersonation of TikTok support or a business partner, usually via email
- Evasion: Cloudflare Turnstile blocks automated scanners, extending the page's active life
- Credential theft: Reverse proxy relays login data to the real TikTok site in real time
- MFA bypass: Session cookie captured after the victim completes their own authentication
- Account takeover: Attacker accesses account using stolen session from a separate device
Why Conventional Email Security Does Not Catch This
Most organisations rely on email filtering to block phishing links before they reach users. That approach works when the malicious URL is already in a blocklist. Here, the Turnstile evasion means the URL is unlikely to be in any blocklist at the time it arrives in the inbox. Standard URL sandboxing works by fetching the linked page automatically and analysing its content. Turnstile defeats this. The sandbox sees a CAPTCHA challenge, not a phishing page, and may classify the link as clean. This is precisely where email security that includes real-time link analysis and post-delivery scanning earns its value. Coro's email security, for example, analyses links at the point of click rather than only at delivery, which gives it a later and more accurate view of what a URL actually resolves to. That does not make any email gateway infallible against novel evasion techniques, but it does close a gap that static, delivery-time scanning leaves open. The broader point is that this campaign is specifically engineered to fail the tools most organisations trust. Knowing that should inform how you think about your current email security posture.
How Should Businesses Defend Against AitM Phishing in 2025?
There is no single control that stops AitM phishing. That is uncomfortable, but it is accurate. What organisations can do is layer defences so that the attack chain breaks at one of several points before it completes. Passkeys and FIDO2 hardware tokens are the most direct answer to AitM. Unlike TOTP codes or push notifications, FIDO2 authentication is bound to the specific origin of the site. A reverse proxy cannot relay a FIDO2 challenge because the cryptographic handshake fails when the domain does not match. TikTok for Business does not currently support FIDO2, which is a genuine limitation, but for internal systems and cloud platforms that do support it, this should be the default. Attack surface visibility matters here too. If your organisation does not know which employees have registered TikTok for Business accounts using corporate email addresses, you cannot monitor those accounts for takeover signals. Tools like Hadrian's attack surface management platform surface exactly this kind of external exposure. A corporate email linked to a third-party platform is part of your attack surface whether your IT team knows about it or not. Data exfiltration controls are the last line of defence once an account is compromised. When an attacker gains access to a TikTok Business account and begins extracting audience data, payment information, or advertising credentials, that data has to go somewhere. BlackFog's anti data exfiltration technology monitors and blocks unauthorised data movement at the device level, which can limit the damage even after an initial compromise. For organisations managing social media accounts across multiple markets, the risk profile multiplies. A New Zealand-based business running TikTok campaigns across the APAC region carries the same exposure as a UK-based counterpart. The attack does not respect geography.
- Adopt FIDO2/passkey authentication wherever supported; it is the only MFA type resistant to AitM relay
- Audit which corporate email addresses are registered to social media business accounts
- Use attack surface management to find external exposures your team has not catalogued
- Apply post-delivery link scanning rather than relying solely on delivery-time URL filtering
- Deploy data exfiltration controls to limit damage if account takeover does occur
- Train staff to recognise urgency-based lures, particularly those impersonating platform support
The Bigger Pattern: Session Hijacking Is Replacing Credential Theft
This campaign is part of a broader shift in how attackers approach identity theft. Stealing passwords has become progressively harder as password managers, breach detection services, and MFA adoption have increased. Stealing authenticated sessions is easier, faster, and sidesteps most of those controls entirely. The same AitM technique described here has been used against Microsoft 365, Google Workspace, and Okta environments. Toolkits like Evilginx2 and Modlishka have made AitM infrastructure accessible to attackers without specialist development skills. What was a sophisticated nation-state technique three years ago is now a commodity available to criminal groups operating at scale. For UK businesses, the regulatory implications compound the operational ones. A compromised TikTok Business account that results in the exposure of customer data carries potential obligations under UK GDPR. If that account was used to serve malicious adverts to your audience, the reputational consequences are harder to quantify but no less real. The response is not panic. It is clarity about what your current controls can and cannot stop, and a realistic plan to address the gaps. If you are not sure where AitM phishing sits relative to your current defences, that question is worth answering before an attacker answers it for you. Kyanite Blue's managed security services provide continuous monitoring and threat intelligence analysis for exactly these kinds of evolving attack patterns. If you want a candid view of where your organisation stands, our team is available to assess it.
Frequently Asked Questions
Can multi-factor authentication stop AitM phishing attacks?
Standard MFA methods, including SMS codes, authenticator app TOTP codes, and push notifications, do not stop adversary-in-the-middle phishing. AitM attacks relay the MFA challenge in real time, capturing the authenticated session before the victim realises anything is wrong. Only FIDO2 hardware tokens and passkeys are resistant to this technique, because they bind authentication to a specific verified domain.
Why are TikTok for Business accounts targeted by phishing campaigns?
TikTok for Business accounts give attackers access to established audiences, advertising budgets, and trusted distribution channels. A compromised account can be used to push malvertising to precisely targeted users, distribute malware via organic content, and harvest stored customer data. The combination of reach and perceived legitimacy makes these accounts more valuable to attackers than individual personal accounts.
How does Cloudflare Turnstile evasion help attackers avoid detection?
Cloudflare Turnstile challenges automated scanners used by threat intelligence platforms and takedown services. When phishing pages sit behind Turnstile, automated tools see a CAPTCHA rather than malicious content, so the page does not enter blocklists as quickly. This extends the active lifespan of the phishing page from hours to potentially days, giving attackers a longer window to compromise victims.