Jake Marchese | SOC Analyst | 21 May 2026

Date: Monday 16 June 2026, 10:00am AEST
Presenter: Jake Marchese, SOC Analyst, Fortian
Format: Webinar with Q&A

Register Now

About This Webinar

Multi-factor authentication has long been considered the gold standard for protecting user accounts. But a class of attack known as Adversary-in-the-Middle (AiTM) renders traditional MFA ineffective — and the user never knows it happened.

AiTM attacks use reverse proxy infrastructure to position an attacker-controlled server between the victim and a legitimate authentication endpoint such as Microsoft 365. The victim sees the real login page, enters their credentials and completes MFA as normal, and is redirected to the legitimate service. But the proxy has already captured the authenticated session token, giving the attacker full access to the victim's account without ever needing the MFA code themselves.

In this webinar, Fortian SOC analyst Jake Marchese will provide a comprehensive deep-dive into how these attacks work, demonstrate an end-to-end attack, and show you how to detect and defend against them.

What You'll Learn

• What AiTM is — how reverse proxy phishing differs from traditional credential harvesting, and why MFA alone doesn't stop it
• Token theft mechanics — how session cookies and OAuth tokens are intercepted, and what attackers do with them (mailbox access, BEC inbox rules, MFA device registration, data exfiltration)
• Attacker infrastructure — the DNS, domain, and proxy setup behind an AiTM campaign, including tools like Evilginx
• The PhaaS ecosystem — how Phishing-as-a-Service platforms have industrialised AiTM, allowing low-skill actors to run sophisticated campaigns via subscription platforms
• Attack demonstration — an end-to-end walkthrough of an AiTM attack flow showing the victim experience and token capture
• Detection strategies — how to identify AiTM compromise in Microsoft Sentinel, including sign-in anomalies, missing MFA claims, impossible travel, user-agent discrepancies, and post-compromise indicators
• Defensive measures — FIDO2/passkeys, token binding with Continuous Access Evaluation (CAE), device compliance policies, and tuned Sentinel detection rules

Who Should Attend

This webinar is designed for security operations teams, IT administrators, and anyone responsible for protecting Microsoft 365 environments. Whether you're a SOC analyst looking to improve your detection capabilities or a security leader evaluating your organisation's exposure to token theft, this session will provide practical, actionable insights drawn from real-world incidents investigated by Fortian's SOC.

Register Now