‘Adversary in the middle attacks’ are becoming hackers’ go-to method to bypass MFA
Microsoft has warned businesses to be wary of an industry-wide shift in phishing tactics to get around MFA


Microsoft has announced it has taken legal action to disrupt over 240 fraudulent websites owned by an Egypt-based cyber crime group, noting the tactics deployed in the DIY phishing operation reflect a broader shift in the industry.
The firm published a blog revealing its Digital Crimes Units (DCU) had disrupted the pages associated with Abanoub Nady, known online as MRxC0DER, who developed and sold DIY phishing kits fraudulently using the ONNX brand.
“Numerous cyber criminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts,” Microsoft said.
Microsoft claimed the fraudulent ONNX operation reflected the “advancing sophistication of online threats”, using adversary in the middle (AiTM) techniques to bypass security layers like multifactor
AiTM attacks are a variant of the man in the middle (MiTM) attacks, where cyber criminals intercept communications between two parties to steal data.
In an AiTM attack, the threat actors can also actively interfere with these communications, such as modifying the messages rather than simply relaying them.
The blog said AiTM attacks have become the “go-to” method used by malicious actors to bypass multifactor authentication (MFA) protection layers.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In the company’s annual Digital Defense report, Microsoft said it observed a 146% rise in AiTM attacks alone this year.
Microsoft also noted that the Financial Industry Regulatory Authority (FINRA) recently published an alert warning of a spike of AiTM attacks against members fueled by the fraudulent ONNX operation.
Fake ONNX project one of the most popular PhaaS providers in first half of 2024
The tech giant found the fraudulent ONNX operation was among the top five phishing as a service (PhaaS) providers by email volume in the first half of 2024.
Nady promoted his DIY phishing kits through Telegram, offering a variety of subscription tiers ranging from $150 and $550 per month, with kits developed to target popular companies including Google, Microsoft, and Dropbox.
“Much like how e-commerce businesses sell products, Abanoub Nady and his associates marketed and sold their illicit offerings through branded storefronts, including the fraudulent ‘ONNX Store’,” the blog noted.
The original ONNX name and logo used by the Nady is owned by the Linux Foundation and represents the Open Neural Network Exchange, an open standard format and open source runtime for representing machine learning models.
RELATED WHITEPAPER
“At the Linux Foundation, we advocate collaboration as a powerful tool for tackling complex challenges. Today, we celebrate our recent collaboration with Microsoft to defend millions of individuals and organizations from a global phishing-as-a-service criminal operation.”
“We encourage organizations who find themselves in a position to fight one element of a cybercrime problem to identify ways to collaborate and build a stronger collective response."
Microsoft noted that “no disruption is complete in one action”, adding that combatting operations like Nady’s ONNX requires determination and ongoing vigilance to keep disrupting new malicious infrastructure.
The blog warned that cyber criminals will continue to evolve their methods, warning it is crucial for organizations and individuals to stay informed and vigilant for the latest techniques leveraged by adversaries.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
Geekom Mini IT13 Review
Reviews It may only be a mild update for the Mini IT13, but a more potent CPU has made a good mini PC just that little bit better
By Alun Taylor
-
Why AI researchers are turning to nature for inspiration
In-depth From ant colonies to neural networks, researchers are looking to nature to build more efficient, adaptable, and resilient systems
By David Howell