S Beyond Phishing: Detecting MFA Fatigue and Adversary-in-the-Middle at Scale
A Practical Playbook for Blue Teams in Resource-Constrained Environments
Keywords:
cybersecurity, phishing, MFA fatigue, adversary-in-the-middle, detection engineering, identity telemetry, SIEM, blue team, incident responseAbstract
This study proposes a defender-centric strategy to detect and contain two fast-rising attack patterns—MFA fatigue and Adversary-in-the-Middle (AiTM)—without relying on expensive tooling. We introduce a lightweight pipeline that fuses identity telemetry (push frequency anomalies, impossible travel), web gateway indicators (suspicious reverse-proxy domains), and endpoint signals (token theft heuristics) into actionable detections. Evaluated across 15 small-to-medium organizations, the approach reduced median time-to-detect by 63% and cut successful account takeovers by 41% over eight weeks. We document failure modes (e.g., noisy travel baselines), provide hardening tips (phishing-resistant MFA, conditional access, token binding), and publish query patterns that can be adapted to common SIEM/XDR platforms. The results indicate that defenders can meaningfully blunt modern phishing and session-hijacking campaigns with modest engineering effort and targeted telemetry enrichment.
