S Beyond Phishing: Detecting MFA Fatigue and Adversary-in-the-Middle at Scale

الملخص

This study proposes a defender-centric strategy to detect and contain two fast-rising attack patterns—MFA fatigue and Adversary-in-the-Middle (AiTM)—without relying on expensive tooling. We introduce a lightweight pipeline that fuses identity telemetry (push frequency anomalies, impossible travel), web gateway indicators (suspicious reverse-proxy domains), and endpoint signals (token theft heuristics) into actionable detections. Evaluated across 15 small-to-medium organizations, the approach reduced median time-to-detect by 63% and cut successful account takeovers by 41% over eight weeks. We document failure modes (e.g., noisy travel baselines), provide hardening tips (phishing-resistant MFA, conditional access, token binding), and publish query patterns that can be adapted to common SIEM/XDR platforms. The results indicate that defenders can meaningfully blunt modern phishing and session-hijacking campaigns with modest engineering effort and targeted telemetry enrichment.