AiTM Phishing Campaign 2026: 35,000-Victim MFA Bypass Threatens SAMA Banks

Between April 14 and 16, 2026, Microsoft's Defender Research team observed one of the largest Adversary-in-the-Middle (AiTM) phishing waves of the year — over 35,000 users across more than 13,000 organizations in 26 countries were targeted, with financial services accounting for roughly 18% of victims. For SAMA-regulated banks, the campaign is a direct warning that legacy multi-factor authentication is no longer sufficient.

How the AiTM Phishing Campaign Bypasses MFA

Unlike traditional credential harvesting, an AiTM attack inserts a reverse proxy between the victim and the legitimate identity provider — typically Microsoft Entra ID, Okta, or Google. When the user authenticates and approves the MFA prompt, the proxy silently captures both the credentials and the resulting session token. The attacker then replays that token from their own infrastructure, effectively logging in as the victim without needing the second factor again. Open-source kits such as Evilginx, Tycoon2FA, and Mamba2FA have made this technique nearly turnkey, lowering the barrier for opportunistic adversaries.

Anatomy of the Microsoft-Disclosed Campaign

The campaign used a "code of conduct" lure, sending PDF attachments with filenames like "Awareness Case Log File — Tuesday 14th, April 2026.pdf" containing a "Review Case Materials" link. Victims who clicked were funnelled through a CAPTCHA gate — a deliberate filter to defeat automated email security sandboxes — before landing on a cloned Microsoft 365 sign-in page hosted on the AiTM proxy. Once session tokens were captured, attackers monitored mailboxes for days, learning vendor relationships, payment workflows, and approval chains before executing wire-transfer fraud or invoice manipulation. Healthcare (19%) and financial services (18%) were the top verticals, and 92% of victim accounts were Microsoft 365 tenants.

Impact on Saudi Financial Institutions Under SAMA

The SAMA Cyber Security Framework (CSCC) and the NCA Essential Cybersecurity Controls (ECC-1:2018) both require strong authentication for privileged and remote access — but neither prescribes phishing-resistant MFA explicitly. That gap matters: SMS, push notifications, and TOTP codes are all vulnerable to AiTM token theft. A successful AiTM compromise of a Saudi bank email tenant could trigger reportable incidents under SAMA's Cyber Threat Intelligence Principles, expose customer data under PDPL Article 24, and enable Business Email Compromise fraud against corporate clients. Beyond regulation, the reputational damage of a wire-transfer scam attributed to a CISO's inbox is difficult to recover from.

Practical Recommendations for SAMA-Regulated Banks

1. Deploy phishing-resistant MFA — FIDO2 hardware keys, Windows Hello for Business, or Microsoft Authenticator passkeys — for all administrators, finance staff, and any user with payment authority. These methods are immune to AiTM token replay because they cryptographically bind the authentication to the legitimate domain.
2. Enforce conditional access policies that require compliant, managed devices for sensitive applications (Entra ID, SWIFT terminals, core banking portals), and block sign-ins from unfamiliar IP geolocations or risky session signals.
3. Enable token protection (also called token binding) where supported, so a stolen session cookie cannot be replayed from a different device.
4. Tune your secure email gateway and endpoint protection to detonate PDFs and follow embedded URLs through CAPTCHA pages — most AiTM campaigns now hide behind a CAPTCHA precisely to evade automated analysis.
5. Build a detection rule set in your SIEM for impossible-travel events, unusual mailbox forwarding rule creation, and OAuth consent grants to unfamiliar apps — the standard post-AiTM persistence playbook.
6. Run a tabletop exercise that walks the SOC, fraud, and treasury teams through a simulated AiTM-driven invoice fraud scenario, then map gaps back to SAMA CSCC sub-domains 3.3.5 (Identity & Access Management) and 3.3.10 (Cyber Security Event Management).

Conclusion

AiTM is no longer a fringe technique — it is the dominant method for compromising MFA-protected cloud identities, and Microsoft's April disclosure shows financial services is squarely in scope. SAMA-regulated banks that still rely on SMS or push-based MFA for privileged users are operating with a known, exploitable weakness. The remediation is well understood: phishing-resistant MFA, hardened conditional access, and proactive token-theft detection. The institutions that move first will find themselves quietly removed from the target list as attackers pivot to easier prey.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that maps your current authentication and identity controls against CSCC, NCA ECC, and PDPL requirements — and identifies the fastest path to phishing-resistant MFA.