AiTM & Reverse Proxy Protection

Detecting sophisticated attacks that intercept your session tokens to bypass Multi-Factor Authentication (MFA).

Visual Button Detection

We detect Microsoft-style login buttons (specific blue color #0067b8 with white text) on non-Microsoft domains, a common indicator of AiTM phishing pages.

Domain Verification

We verify that the page is not on a legitimate Microsoft domain before triggering alerts, preventing false positives.

Pattern Matching

We look for specific text patterns like "sign" and "next" in button text, combined with Microsoft-style visual design, to identify lookalike pages.

What is an AiTM Attack?

Adversary-in-the-Middle (AiTM) is a technique where an attacker sits between you and the real website. When you enter your password and 2FA code, the attacker forwards them to the real site, logs you in, and then steals the Session Cookie that proves you are logged in.

This allows hackers to bypass MFA/2FA completely because they don't need to crack your password—they just steal your active session.

Tozetta Defense Strategy

Tozetta detects AiTM phishing pages by analyzing visual elements that attackers use to mimic Microsoft login pages:

  • Color Pattern Detection
    We detect the exact Microsoft blue button color (#0067b8) with white text, which is commonly used in AiTM phishing pages to trick users.
  • Text Pattern Analysis
    We look for specific button text patterns like "sign" and "next" that are commonly found in Microsoft login flows.
  • Domain Whitelist Check
    We verify that the page is not on a legitimate Microsoft domain (microsoft.com, microsoftonline.com, etc.) before triggering alerts.